Improving Network Infrastructure Security by Partitioning Networks Running Spanning Tree Protocol

Although spanning-tree protocol (STP) is widely used in switching networks today, it is not until recently that its security performance is studied by researchers. In this paper, the problem of attacks to STP is addressed. The paper proposes a novel solution that partitions a STP network into two tier of switching networks. The reason of the partitioning is to hide the STP operation of the network infrastructure (i.e. higher tier switching network) from the lower tier switching network (that connects to end computers). It is expected that after the partitioning, the lower tier switching network and its connected end computers cannot launch STP attacks to the network infrastructure. To realise the partitioning, a new kind of Ethernet boundary switches is designed and implemented. These boundary switches will on one hand participate in the normal STP operations of both tiers of networks. On the other hand, the modified STP operations inside the boundary switches actually partition the STP operations into a network infrastructure region and a lower tier network region. Experiments on the implemented boundary switches were also run. The results show that the boundary switches were fully functional and could successfully stop STP attacks launched from the lower tier network