Network security has recently become a critical issue in the Internet community. Network administrators generally install network security devices, such as firewalls and Intrusion Detection and Prevention Systems (IPS), near the routers of an enterprise network to prevent attacks from the Internet. However, more than 80% of attacks on a network are launched from infected hosts inside its intranet. Therefore, the concept of defense-in-depth has emerged, to prevent attacks not only from the Internet, but also from internal hosts. Therefore, security switches provide first-mile protection, while network access control (NAC) technologies ensure that network endpoints are updated without vulnerability. This study proposes a scalable High Availability (HA) architecture for network security switches with hardware bypass ports. In this architecture, each “security switch” has a traditional layer-2 switch and a “security switch engine (SSE)”, which provides layer-7 packet inspection service and NAC functionality. These two components are connected via a Gigabit Ethernet link. The proposed security switch architecture is especially suitable for industrial networks where L2 switches are designed with special consideration and not probable to fully replacement.
A mechanism is designed to interconnect the SSEs so that the “security switches” group provides HA. Experimental results indicate that the system reliability is still high when many SSEs are linked with low reliability. A mathematical analysis model is also proposed, and the analytical results are confirmed by the experimental results. A mathematical analysis model is also proposed, and the analytical results are confirmed by the experimental results. Most importantly, the SSE can be realized on a high-performance but cost-effective standard IPC, meaning that the proposed HA security system can be implemented in a very cost-efficient way.
Ring-based industrial networks must possess a fast recovery algorithm when either the switch node or link is faulty. This work also presents a simple yet extremely fast recovery algorithm based on the last-in-backup (LIB) concept, in which the final link added to the ring is the backup link. When link failure occurs later on, the backup link can be activated immediately to recover the ring. Construction time of the spanning tree and link-down recovery time of the proposed mechanism are also analyzed. Analysis results indicate the proposed LIB algorithm performs significantly better than the state-of-the-art MRP protocol developed in the latest version of the IEC 62439 standard. The proposed LIB algorithm is implemented in industrial Ethernet switches as well. Our results further demonstrate that the proposed recovery algorithm is extremely feasible with a link-down recovery time of 5.5ms for 50 switches and 6.5ms for 250 switches.

[1] Computer Crime Research Center, http://www.crime-research.org/
[2] William R. Cheswick , Steven M. Bellovin , and Aviel D. Rubin “Firewalls and Internet Security: Repelling the Wily Hacker,” 2/e, Addison-Wesley Professional, March 6, 2003.
[3] Roesch M. “Snort--Lightweight Intrusion Detection for Networks,” In Proceedings of the 13th Systems Administration Conference, USENIX, 1999.
[4] Paxson V. “Bro: A System for Detecting Network Intruders in Real-Time,” In 7th Annual USENIX Security Symposium, Jan. 1998.
[5] Christoph L. Schuba, Ivan V. Krsul, and etc., “Analysis of a Denial of Service Attack on TCP,”IEEE Symposium on Security and Privacy, 1997.
[6] David Moore, Colleen Shannon, and etc., “Inferring Internet Denial-of-Service Activity,” ACM Transactions on Computer Systems (TOCS), New York, USA, 2006.
[7] Desai, Neil. “Intrusion Prevention Systems: the Next Step in the Evolution of IDS,” http://www.securityfocus.com/infocus/1670
[8] Xinyou Zhang, Chengzhong Li, Wenbin Zheng, “Intrusion prevention system design,” In The Fourth International Conference on Computer and Information Technology (CIT'04), 2004.
[9] NSA Security Recommendation Guides.”Defense in depth: A practical strategy for achieving information assurance in today’s highly networked environments,” http://www.nsa.gov/snac/support/defenseindepth.pdf
[10] Amrit Williams, “The Fall and Rise of Network Access Control,” http://www.esj.com/Security/article.aspx?EditorialsID=2607
[11] Joseph J. Tardo, “IETF pushes for interoperable NAC,” Network World, March 2007, http://www.networkworld.com/news/tech/2007/031907-techupdate.html
[12] Mike Fratto, “NAC Standards: Groups Marking Territory,” Network Computing, Oct 2006, http://www.networkcomputing.com/showArticle.jhtml?articleID=193302957&queryText=NAC
[13] Cisco system Inc, Cisco Catalyst 6500 Series Switch, http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/
[14] 3Com. Security Switch, http://www.3com.com/prod/cz_CZ_EMEA/prodlist.jsp? tab=cat&cat=134482&subcat=171050
[15] Alcatel OmniSwitch 6600, http://www1.alcatel-lucent.com/products/productsummary.jsp?productNumber=os6000
[16] MLD-STD-810: “Department of Defense Test Method Standard for Environmental Engineering Considerations and Laboratory Tests”
[17] IEEE 802.1X:”Port Based Network Access Control,” December 2004
[18] “MAC Bridges," ANSI/IEEE Standard 802.1 D-2004.
[19] "IEC 62439: High availability automation networks, IEC, 2010.
[20] Nen-Fu Huang, Chih-Hao Chen, Rong-Tai Liu, Chia-Nan Kao, “On the Design of a Cost Effective Network Security Switch Architecture,” IEEE GLOBECOM 2005, St. Louis, Missouri, USA, November 2005.
[21] Cisco NAC, http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html.
[22] TippingPoint NAC, http://tippingpoint.com/products_nac.html.
[23] Symantec Network Access Control, http://www.symantec.com/business/network-access-control.
[24] Sophos Network Access Control, http://www.sophos.com/products/enterprise/nac/sophos-nac/.
[25] J. Rufino, P. Verissimo , “A Study on the Inaccessibility Characteristics of the FDDI LAN”, INESC Technical Report RT 25-92, 1992
[26] Gunnar Prytz, “Network recovery time measurements of RSTP in an Ethernet ring topology”, IEEE EFTA, 2007.
[27] S. Sharma, K. Gopalan, S. Nanda, and T.C. Chiueh, "Viking: a multi-spanning-tree Ethernet architecture for metropolitan area and cluster networks", IEEE INFOCOM2004.
[28] P.Nair, S.Nair, M.Marchetti, G.Chiruvolu, and M.Ali, "Bandwidth sensitive fast failure recovery scheme for Metro Ethernet,” International Journal of computer and telecommunications networking, Vol.2, Issue 8, June 2008, pp. 1603-1616.
[29] “Virtual Bridge Local Area Networks,” ANSI/IEEE 802.1Q-2005.
[30] Martin L. Shooman, “Reliability of Computer Systems and Networks —Fault Tolerance, Analysis, and Design”, Wiley, 2002.
[31] Sourcefire, Inc., “Sourcefire VRT Certified Rules,” available at: http://www.snort.org/vrt/
[32] Spirent Communications, “Spirent SmartBits: Trusted Industry Standard for Router and Switch Testing,” available at: http://www.spirentcom.com/analysis/technology.cfm?media=7&ws=325&ss=110&stype=15&a=1
[33] http://www.net-star.com.tw/
[34] Y. Cho, S. Nahab, and WH Mangione-Smith, “Specialized hardware for deep network packet filtering,” in Field Programmable Logic and Applications (FPL), Montpellier, France, Sep. 2002.
[35] I. Sourdis, D. Pnevmatikatos, “Pre-decoded CAMs for efficient and high-speed NIDS pattern matching,” In Proceeding of the 12th Annual IEEE Symposium on Field Programmable Custom Computing Machines, 2004.
[36] Sung-Hua Wen, Chih-Chiang Wu, Nen-Fu Huang, and Chia-Nan Kao, “A Pattern Matching Coprocessor for Deep and Large Signature Set in Network Security System,” IEEE GLOBECOM 2005, St. Louis, Missouri, USA, November 2005.
[37] Radware Ltd., “DefensePro: Intrusion Prevention & Dos Protection up to 6G,” available at: http://www.radware.com/content/products/dp/default.asp
[38] 3Com Corp., “3Com Security Switch 6200,” available at: http://www.3com.com/other/pdfs/products/en_US/400835.pdf
[39] Reflex Security, Inc., “Network Security Powerhouse: Relfex IPS MG5 and MG10,” available at: http://www.reflexsecurity.com/products/IPS10Gig.pdf
[40] Paul Korzeniowski, “Cloud Security”, infomationweek, 2009/11/9, available at: http://www.informationweek.com/news/security/storage/221601449
[41] Victor Moreno and Kumar Reddy, “Network Virtualization”, Indianapolis: Cisco Press, 2006
[42] Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, “OpenFlow: Enabling Innovation in Campus Networks”, ACM SIGCOMM Computer Communication Review, Volume 38 Issue 2, 2008.