Transparent Network Security Policy Enforcement

Recent work in the area of network security, such as IPsec, provides mechanisms for securing the traÆc between any two interconnected hosts. However, it is not always possible, economical, or even practical from an administration and operational point of view to upgrade the software and con guration of all the nodes in a network to support such security protocols. One apparent solution to this problem is the use of security gateways that apply the relevant security protocols on behalf of the protected nodes, under the assumption that the \last hop" between the security gateway and the end node is safe without cryptography. Such a gateway can be set to enforce speci c security policies for di erent types of traÆc. While this solution is appealing in static scenarios (such as building so-called \intranets"), the use of Layer-3 (network) routers as security gateways presents some transparency and con guration problems with regards to peer authentication in the automated key management protocol. This paper describes the architecture and implementation of a Layer-2 (link layer) bridge with extensions for o ering Layer-3 security services. We extend the OpenBSD ethernet bridge to perform simple IP packet ltering and IPsec processing for incoming and outgoing packets on behalf of a protected node, completely transparently to both the protected and the remote communication endpoint. The same mechanism may be used to construct \virtual local area networks," by establishing IPsec tunnels between OpenBSD bridges connected geographically separated LANs. As our system operates in the link layer, there is no need for software or con guration changes in the protected nodes.