Mac Security (Macsec) - WAGO 852-1328 Product Manual

852-1328 Functions

5.1.3 MAC Security (MACSec)

WAGO industrial managed switches support advanced security features that allow traffic
encryption and high throughput. MACsec or Media Access Control Security is a security
standard specified by IEEE also called IEEE 802.1AE. This IEEE MAC security standard
provides connectionless user data confidentiality, frame data integrity, and data origin au-
thenticity. MACsec can establish point-to-point security on ETHERNET links between di-
rectly connected nodes. WAGO industrial managed switches support this security feature
and can be used to transparently secure an IEEE 802 LAN connection to a peer device
(such as another switch) that also supports the MACsec.
MACsec defines two terms called secure channel and connectivity association when set-
ting up a secure communication between two switches. A secure channel in MACsec is
unidirectional and used for transmitting (outbound traffic) or receiving (inbound traffic)
data. A connectivity association when MACsec is enabled consists of two secure chan-
nels: one for inbound traffic and one for outbound traffic.
The point-to-point links can be secured by MACsec after matching security keys are ex-
changed and verified between the ports on two different secure switches.
The static secure association key (SAK) security mode is when the user manually config-
ured the same static secure association key (SAK) on both sides of a connection. There
is no key server in this mode and the keys must be matched on the ports of both
switches. This can be viewed as setting up two secure channels within a connectivity as-
sociation. It is suggested to have a periodic manual key update in order to prevent the
key to be broken by brute-force attack.
Product manual | Version: 1.2.0 23
Industrial Managed Switch