What is MACsec?

Summary

The goal of IEEE 802.1AE1 MACsec is to establish secure a secure link from one Ethernet device to another. This protects Ethernet frames from attacks such as sniffing, snooping, spoofing, and Man-in-the-Middle (MitM), which represent 35%2 of all exploits.

MACsec is an encryption standard operating at Layer 2 within the OSI model that provides a secure bi-directional communication link. Protecting against growing threats, the use of MACsec ensures the confidentiality, authenticity, and integrity of Ethernet traffic, protecting data from being tampered with or eavesdropped on without permission. As MACsec operates at Layer 2, it offers enhanced security protection in a high-bandwidth environment without affecting network or CPU performance.

In this page, we will walk through the basics of MACsec, the benefits of using it, and the importance of end-to-end MACsec across your enterprise network. The goal will be to inform organizations in the hope of helping them reduce their risk exposure from unencrypted data traveling within their network.

What is MACsec?

Media Access Control Security (MACsec) offers low-latency traffic encryption at Layer 2. MACsec is a standard defined by IEEE standard 802.1AE and operates at the Ethernet Layer to provide 3 main services:

• Data confidentiality – Only authorized resources can view the data
• Data integrity – Data has not changed while in transit
• Data origin authenticity – Data is verified to be sent from originator

Benefits of MACsec include:

• Line rate encryption for high bandwidth requirements
• Flexible option with low overhead for designing complex networks
• Protecting users’ traffic from attacks like snooping and Man-in-the-middle (MitM)

Why MACsec now?

Market Trends

With emerging technologies and trends like the cloud, Internet-of-Things (IoT), and blockchain, boundaries continue to expand for organizations. Designing, securing, and maintaining this ever-growing list of complex technology stack is a challenge for many organizations. On average, a large enterprise might have more than one hundred security tools in their organization3. This list does not include other tools that may exist in the environment. These tools have vulnerabilities, opening attack vectors for malicious actors to exploit. The design of these tools often requires frequent communications between related services within the network, making the importance of building a secure network more critical than ever. Fortunately, these communications are predictable as they are always required to go through the Ethernet layer, making it simpler to build a secure network.

Securing Data

As technologies evolve over time, one thing that stays true is the importance of Ethernet in data communication in the network. The network – it is responsible for transporting data from point A to point B. The way data is stored and transferred continues to be a primary focus in today’s environment and the primary means to transport data within a network is still through unsecure Ethernet cables.

The advancement of technology also gave rise to attackers with advanced techniques to exploit the network. These attackers usually employ multiple techniques in multiple stages within their attack. For one, they can:

Use snooping techniques by connecting an in-band packet analyzer to look for content at the Ethernet layer.
The Ethernet cables themselves could be prone to wireless sniffing attacks4
Extract the unencrypted/unmonitored information for reconnaissance
Avoid detection unless specific rules are defined to catch attacks deploying eavesdropping techniques where data in transit is intercepted by a malicious party
Additionally, the emergence of modern technologies in combination with old technologies requires the network and the network’s bandwidth to be:

• Fast and robust
• Always on for applications and users

The challenge is then not only do organizations need to provide end-to-end, multi-layer security, but also a high-performance and reliable network.

Why MACsec now

Enabling MACsec can prevent attackers from snooping and tampering with traffic on your network by encrypting data at the Ethernet link layer for full protection. Additionally, with the rise of cyber-breaches, improving the network posture and reducing security risks can have beneficial gains like meeting compliance requirements, reducing insurance rates, and improving the end-user experience.

How does MACsec solve IT challenges?

Traditionally, IT teams focused on encrypting traffic at Layer 3 and above using industry standards like IPsec and Transport Layer Security (TLS). However, this left the lower layers unencrypted and introduced security gaps within the infrastructure. The result is an increased risk for an organization.

The presence of unencrypted traffic means that malicious actors tapping into the network can view Ethernet data payload in plaintext. This can compromise Information that is sensitive to users or information about an organization’s infrastructure.

With MACsec enabled, data is encrypted such that attackers trying to access the Ethernet data payload cannot view, change, or replay the content. Working at the data link layer, MACsec offers the ability to secure the Ethernet link and protect control plane protocols (i.e. DHCP, ARP, and LLDP). This can help mitigate attacks like network reconnaissance, MitM, and more.

Diving deeper into the structure of the traffic being sent, we see that payload (the data) is fully encrypted. At the front of the payload is a Security TAG (SecTAG),that includes fields like a unique packet number (PN) to prevent replay attacks. The Integrity Check Value (ICV) at the end of the payload ensures that data was not modified at any point in time.

To summarize, MACsec achieves data confidentiality with encrypted payload, data integrity with ICV, and data authenticity with SecTAG.

Operators must not only secure the network, but also ensure that the use of security does not interfere with the user experience.

High performance is also a critical requirement. With MACsec, encryption is done with negligible overhead, enabling line-rate performance. Encryption is done at the hardware level (PHY), allowing for business-critical traffic to traverse through the network with low latency.

What does your network need from MACsec?

Security

The network is the foundation for all businesses. Employees and customers communicate using an organization’s network daily and, as such, this should be kept secure. With the prevalence of business-critical applications and ever-increasing user expectations, networks need to be

• Robust
• Secure
• Reliable>
• High performing

To ensure that data is protected at every hop on every appliance, end-to-end traffic encryption must be enabled when traversing the network. The result is complete encryption without sacrificing performance.

Simplicity

As MACsec provides additional security protection without sacrificing performance and bolting on additional security products, the tradeoff is that the implementation of MACsec can be overly complex depending on vendors’ support. The process typically looks something like:

1. First, responsibilities still lie on the company to discover which routers, switches, or access points have support for MACsec
2. The team responsible then needs to configure each of those devices to enable MACsec and implement a policy to use MACsec on every port
3. Finally, whenever there are software upgrades, it is up to the organization to verify the software supports MACsec on each individual device

Additional complexity is created when deploying MACsec end-to-end while ensuring the operational and technical complexity do not outweigh the benefits. Configuring MACsec end-to-end on every device manually:

• • Requires deep technical expertise
  • Increases the chance of human errors
  • Decreases the security posture effectiveness
  • Operationally inefficient

To have a truly secure network, end-to-end traffic encryption via MACsec must be enabled out-of-the-box (OOB) without user intervention and any configuration. Simplicity is the bedrock for all security and as such, deploying end-to-end traffic encryption must be an effortless process for organizations to have a practical implementation.

End-to-end

Simply configuring MACsec in each appliance is time consuming and error prone. To guarantee data confidentiality, integrity, and authenticity, traffic encryption via MACsec must not only be turned on by default and require zero configuration, but also be enabled end-to-end such that companies can be secured from malicious attacks and reduce their overall security risks.

• • 1. IEEE 802.1 Working Group – Security with MACsec
    2. X-Force Threat Intelligence Index, IBM, 2022
    3. “The unsolved opportunities for cybersecurity providers”, McKinsey, (January 5, 2022)
    4. “LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables”, Mordechai Guri, (September 30, 2021)