ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

Similar documents
NATIONAL RESEARCH AGENCY CASE STUDY - CCTV NETWORK SERVICES

SECURE AVAYA FABRIC CONNECT SOLUTIONS WITH SENETAS ETHERNET ENCRYPTORS

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

LAYER 2 ENCRYPTORS METRO AND CARRIER ETHERNET METROS AND WIDE AREA NETWORKS ETHERNET ENCRYPTION FOR PRESENTS:

How To Secure My Data

Layer 2 Network Encryption where safety is not an optical illusion Marko Bobinac SafeNet PreSales Engineer

High speed Ethernet WAN: Is encryption compromising your network?

SENETAS CERTIFIED NETWORK DATA ENCRYPTION FOR COMMERCIAL AND INDUSTRIAL

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

Senetas CERTIFIED network data security - For commercial & industrial SENETAS CERTIFIED NETWORK DATA SECURITY - FOR COMMERCIAL & INDUSTRIAL

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

IN CONTROL AT LAYER 2: A TECTONIC SHIFT IN NETWORK SECURITY.

High Speed Ethernet WAN: Is encryption compromising your network?

Senetas CERTIFIED network data security - For Government SENETAS CERTIFIED NETWORK DATA SECURITY - FOR GOVERNMENT

L2 Box. Layer 2 Network encryption Verifiably secure, simple, fast.

ethernet services for multi-site connectivity security, performance, ip transparency

THE DATA PROTECTION COMPANY HIGH EFFICIENCY SWITCHABLE CERTIFIED ENCRYPTION UP TO 10 GBPS CN6000 SERIES

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

Layer 2 Encryption Fortifying data transport

VXLAN: Scaling Data Center Capacity. White Paper

TrustNet Group Encryption

Securing IP Networks with Implementation of IPv6

Chapter 9. IP Secure

HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

Virtual Privacy vs. Real Security

Cisco Which VPN Solution is Right for You?

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Best practices for protecting network data

Advanced VSAT Solutions Bridge Point-to-Multipoint (BPM) Overview

High Speed Encryption Made in Germany

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

40G MACsec Encryption in an FPGA

MPLS over IP-Tunnels. Mark Townsley Distinguished Engineer. 21 February 2005

In-Flight Encryption. Jim Theodoras. Feb 2014

WHITEPAPER. VPLS for Any-to-Any Ethernet Connectivity: When Simplicity & Control Matter

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

What is VLAN Routing?

TDM services over IP networks

MPLS VPN basics. E-Guide

How To Protect Your Data With A Senior Security Encryptor From Being Hacked By A Hacker

Multi Protocol Label Switching (MPLS) is a core networking technology that

hp ProLiant network adapter teaming

Demonstrating the high performance and feature richness of the compact MX Series

Network virtualization

Network Virtualization Network Admission Control Deployment Guide

Big Data solutions-paper

Site to Site Virtual Private Networks (VPNs):

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

1. Securing Untrusted Layer 2 Networks The Different Processing Approaches to Implementing Network Encryption... 3

Security vulnerabilities in the Internet and possible solutions

Virtual Private LAN Service

Basics of Internet Security

Protocol Security Where?

Introduction to Computer Security

MPLS/IP VPN Services Market Update, United States

Lecture 17 - Network Security

Link Layer. 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: ATM and MPLS

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

High Performance VPN Solutions Over Satellite Networks

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

Ethernet, VLAN, Ethernet Carrier Grade

data Centres solutions-paper

Network Security Topologies. Chapter 11

Case Study for Layer 3 Authentication and Encryption

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Communication Networks. MAP-TELE 2011/12 José Ruela

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

Overview of Routing between Virtual LANs

Securing VoIP Networks using graded Protection Levels

LAYER 1 & LAYER 2 ENCRYPTION WHY: ONE SIZE DOES NOT FIT ALL

IP/MPLS-Based VPNs Layer-3 vs. Layer-2

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Using Carrier Ethernet to Create Cost Effective and Secure Wide Area Networks How Layer 2 Encryption Enables Better Use of Bandwidth.

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

Ethernet. Ethernet. Network Devices

Introduction to Computer Security

Security in Wireless Local Area Network

Axon: A Flexible Substrate for Source- routed Ethernet. Jeffrey Shafer Brent Stephens Michael Foss Sco6 Rixner Alan L. Cox

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Asynchronous Transfer Mode: ATM. ATM architecture. ATM: network or link layer? ATM Adaptation Layer (AAL)

MPLS and IPSec A Misunderstood Relationship

Master Course Computer Networks IN2097

Implementing VoIP support in a VSAT network based on SoftSwitch integration

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

INFRASTRUCTURE CONTROL SYSTEMS ENCRYPTION

Cisco Dynamic Workload Scaling Solution

Chapter 2 - The TCP/IP and OSI Networking Models

Communication Systems Internetworking (Bridges & Co)

Transcription:

HERN WAN ENCRYPTION SOLUTIONS COMPARED KEY WORDS AND TERMS MACsec, WAN security, WAN data protection, MACsec encryption, network data protection, network data security, high-speed encryption, Senetas, Senetas encryption, Senetas CN encryptors, MACsec security standard, Cisco encryption, Cisco MACsec, Cisco TrustSec, Cisco router encryption, Cisco switch encryption, carrier connected WAN security, hardware encryption, certified encryption. AUDIENCE This Senetas White-Paper will be of interest to the following readers chief information security officers, chief information officers, chief financial officers, chief technology officers, data network managers, network architects, network engineers, information security managers, data security professionals, data network professionals, systems integrators, IT procurement professionals, data network providers, Cloud and datacenter service providers. DESCRIPTION Ethernet WAN Security Solutions Compared examines the pros and cons and compares Senetas dedicated encryption hardware of high-speed network data with the application of the Media Access Control (MACsec) security standard in other devices highlighting important security and performance trade-offs. This Senetas White-Paper describes the comparative security and performance benefits of Ethernet WAN data security solutions. We compare the benefits of Senetas Layer 2 high-speed encryption (HSE) hardware with integrated encryption using MACsec or TrustSec. In summary, because the MACsec security standard was designed to protect data on Local Area Networks (LANs), it is not suitable for use on Wide or Metropolitan Area Networks (WANs or MANs). Unlike Senetas purpose-designed CN encryptors, MACsec used on WANs may result in reduced security and high network overheads leading to poor performance. FEB/2015

INTRODUCTION Network data security risks are well known, including serious data breaches at the Data Link Layer Layer 2 in Wide Area Networks (WANs) and carrier-connected network services. 02 Consequently, encryption of sensitive data is adopted by the world s most secure organizations and market leaders as the optimal information security technology. Government agencies around the world have set demanding certification standards for encrypting sensitive transmitted data. Senetas s product legacy lies in meeting these rigorous demands through purpose-designed, certified, high-speed encryptors, dedicated to protecting sensitive data without compromising network performance. Similarly, commercial organizations adopt encryption as the optimal approach to protecting sensitive data transmitted across their Wide and Metropolitan Area Networks that interconnect their different sites. As their business plans increase, demand for Cloud and data centre services and Big Data technologies, their WANs rapidly grow, exposing the organizations to new and serious threats. Simply put, encryption protects the data itself in the event of a network breach. When prevention security (e.g. firewalls etc.) technologies fail, encrypted data is protected the data is rendered useless in unauthorized hands. However, as various Layer 2 encryption technologies have evolved, many come with security weaknesses and inefficiencies. Some add significant network overheads that compromise network performance, which also proves costly. Other encryption technologies add significant complexities when other network devices are present, such as in large or more complex multi-point-to-multi-point topologies. As market demand for Ethernet data security increases, encryption is increasingly implemented within conventional network equipment such as routers and switches. Such encryption implementation often uses IPsec at Layer 3; or MACsec for Ethernet frames at Layer 2. Whilst different approaches may be taken to the implementation and deployment of network data encryption; when evaluating different solutions it is important to understand the tradeoffs (and compromises) in both data security and network performance that may apply. THE ISSUE PROTECTING HERN NWORK TRANSMITTED DATA For maximum data protection on both LAN and Ethernet WANs sensitive data should be encrypted. Ethernet network traffic that is not encrypted is vulnerable to a variety of attacks such as snooping, spoofing, tampering, replay and unauthorized traffic analysis. Each attack type results in sensitive data getting into attackers hands. The MACsec security standard was designed specifically to provide port based security across Local Area Networks (LANs); Senetas CN high-speed encryptors are purpose-designed to protect data transmitted across Metropolitan and Wide Area Networks including Carrier Ethernet services regardless of the topologies and architectures used. Whether the WAN is a simple point-to-point or a highly complex multi-point-to-multi-point fully meshed network; Senetas CN encryptors provide maximum encryption security without compromising network performance.

MACSEC Known as MACsec, (802.1AE) the IEEE MAC security standard defines connectionless data confidentiality and authentication to enable secure communications on Local Area Networks. 03 MACsec is defined by two IEEE standards: > > 802.1ae - defines the frame format, encryption algorithm, data authentication and Ethernet frame processing > > 802.1x-2010 - defines port based authentication and the MACsec Key Agreement protocol MKA. MACsec is a security standard originally designed for LAN use - to prevent network data sniffing and unauthenticated access to network resources. The MACsec security standard was specifically designed to secure hop-by-hop** network connections requiring every port at the end of an Ethernet segment to be MACsec compliant (trusted). However, when transmitting data across WANs using MACsec, the data will be encrypted and decrypted on every MACsec enabled device in the path. This means that each intermediate network device in the traffic path has full visibility of the data. Therefore, MACsec does not provide end-end* security. This hop-by-hop data journey causes a serious WAN security risk by leaving the data completely unprotected at each node. The hop-to-hop data journey is also highly inefficient and unnecessarily complex. MACsec may be carried on pseudo-wire connections across a WAN, removing the requirement for each hop to support the protocol. Pseudo-wires provide a LAN emulation capability by encapsulating the Ethernet traffic with an additional header so that it may be sent across the native transport network e.g. MPLS, IP or SON networks. However, when the underlying transport network itself is an Ethernet service, pseudowires are unnecessary because they introduce a significant overhead and additional complexity. In this case native encryption at the Ethernet frame Layer is much preferred for efficiency. Therefore, it is for these important reasons that MACsec is not a suitable protocol for use on carrier-connected Ethernet WANs. MACSEC IMPLEMENTATIONS MACsec is a common feature in modern Ethernet switches and may be used to enable strong data security on Ethernet links, providing data confidentiality and integrity using GCM-AES-128 encryption. MACsec is commonly implemented on switch downlink ports where it is used to protect local area Ethernet segments. For example Cisco switches support MACsec on downlink ports but do not support it on switch-to-switch uplinks. To encrypt inter-switch data, Cisco switches use a proprietary extension known as TrustSec. TrustSec is based on the MACsec security standard and therefore is also limited to hopby-hop scenarios. These restrict TrustSec to use on direct connections. Hence TrustSec may not be used on metro-ethernet services nor carrier-provided label switched services.

HIGH-SPEED ENCRYPTION HARDWARE AND NWORK FIT By comparison, Senetas HSE has been specifically designed to provide end-toend data encryption across any type of data network topology, including service provider networks. Senetas encryptors are used globally on WAN infrastructures in point-to-point, hub and spoke and fully meshed environments. Provided that the underlying carriage is Layer 2 there are no restrictions on the number of hops, intermediate nodes or service provider networks that may be protected. 04 Senetas CN encryptors are extensively used by many of the world s most secure organizations and market-leaders to protect sensitive information transmitted across a wide range of global, international and national WAN infrastructures. Most importantly, at every point in the network the Senetas encryption protected data remains encrypted and is not decrypted until it reaches an authenticated Senetas encryptor at the intended destination! There are no weak-points in the Senetas hardware encryption process and the data s journey there are no security gaps. The Senetas encryptors HSE policy is very powerful yet simple to implement and manage. Senetas CN encryptors may be centrally managed over the network using the Senetas CM7 encryptor management application, which enables a large number of encryptors to be setup quickly and simply across all topologies. THE ENCRYPTION TAX ENCRYPTION OVERHEADS AND NWORK PERFORMANCE All encryption necessarily introduces some additional traffic on the network - often referred to as the encryption tax. This tax depends upon how encryption is implemented as well as any specific security features required. The size of that overhead may significantly impact the performance of the network. Generally, encryption overheads arise from: > > Network frames that are inserted by encryptors to ensure encryption keys are regularly updated between and among encryptors and for the purpose of remote encryptor management > > Additional per-frame overheads to provide synchronization, packet integrity and data origin authentication. The amount of data overhead is dependent upon the encryption mode used. The inserted overhead is typically minimal (far less than 0.1% of the network link); however the per-frame overhead is higher and may range from 0 to 82 bytes per frame. The highest per-frame overhead occurs when confidentiality, frame integrity and data origin authentication features are all required, leading to a trade-off among the security features used and the desired/achievable network performance. If confidentiality of the frame payload is the only requirement then the per-frame overhead may be removed entirely. The Senetas CN encryptor platform provides highly efficient native Ethernet encryption - ensuring the encryption tax is absolutely minimal. When using low overhead transport mode under real world conditions, Senetas encryptors may achieve 100% line rate for all packet sizes! Senetas CN encryptors provide a wide choice of encryption modes, which include: > > Fully authenticated mode: 24 byte per frame overhead providing confidentiality, frame integrity, data origin authentication and replay protection > > Simple transport mode: Between 0-8 bytes per frame overhead providing confidentiality and replay protection

Senetas Encryption at Layer 2 05 DA SA VID MAC Header (18 bytes) Payload Data (16-1500 bytes) CRC Checksum (4 bytes) Simple transport mode Zero overhead all IP headers protected encrypted DA SA VID IV Payload ICV CRC MAC Header (18 bytes) SecTag (8 bytes) Data (16-1500 bytes) Integrity Check Value (4-16 bytes) Checksum (4 bytes) authenticated encrypted authenticated Authenticated mode Integrity reply protection 24 bytes overhead worst case Figure 1 High Speed Encryption modes Figure 1 shows the encrypted frame format, the user may configure the mode using the Senetas CM7 encryptor management tool. Note: Available encryption modes may vary by encryptor model, link speed and selected network mode (i.e. Line, VLAN or Mac). In the case of MACsec it has an additional per frame overhead of 32 bytes and Cisco TrustSec increases this overhead to 40 bytes because an additional 8 bytes of Cisco metadata is present - see Figure 2. authenticated encrypted DMAC 802.1AE SMAC 802.1Q CMD YPE PAYLOAD Header ICV CRC CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options Figure 2 - Cisco TrustSec Further, when using Cisco TrustSec over a carrier-connected network it is necessary to encapsulate the entire Ethernet frame inside an IP packet that is transported over Ethernet. Cisco refers to this as Overlay Transport Virtualization (OTV), which adds another 42 bytes per frame resulting in a total data overhead of 82 bytes per frame! For details refer to: http://www.cisco.com/c/en/us/td/docs/solutions/ Enterprise/Borderless_Networks/Unified_ Access/BYOD_Design_Guide/BYOD_Network_ Design.html

Real encrypted throughput for varying frame size and encryption mode 06 100% 90% Throughput 80% 70% 60% Sen CTR Sen GCM MACSec Cisco TrustSet 50% 64 128 256 512 1024 1280 1518 Frame Size Figure 3 Network throughput for different encryption modes Figure 3 shows the achievable throughput for different frame sizes in several different encryption modes. Note: figure 3 shows the theoretical (not measured) throughput that is achievable given the per-frame overhead. These are therefore best case scenarios that assume the encryption engine can actually keep up with the maximum achievable throughput. The per-frame overhead may have a significant impact on the performance of the network and significantly reduce network throughput. This overhead also imposes a significant financial cost of lost network performance. The top-most line in figure 3 shows that 100% throughput may be achieved for all frame sizes when using Senetas encryptors transport encryption mode. Even when using full authentication mode Senetas CN encryptors may achieve nearly 90% throughput for small frames. By contrast, the red line at the bottom of figure 3 shows the throughput achieved for Cisco TrustSec with 40 bytes of overhead. In this mode the network bandwidth is reduced by nearly 35% for small and medium sized frames thus limiting the scalability of the solution and making it unsuitable for heavily utilized connections. Across a carrier-connected Ethernet WAN link, using Cisco s OTV encryption, the data overhead is nearly doubled. This data overhead significantly reduces the throughput even further. Significantly and in contrast, RFC2544 testing**** demonstrates that the Senetas FPGA encryption engine may achieve 100% line rate for all packet sizes when using low overhead transport mode under real world conditions latency is approximately 6 microseconds at 10Gbps.

ENCRYPTORS HARDWARE SECURITY Senetas CN high-speed encryptors are purpose-designed and built to the highest government certification standards. They have been independently tested by international testing authorities and hold all four major certifications for cryptographic products. 07 The certifications held among the various CN platform model encryptors are: > > Common Criteria EAL4+ and EAL2+ > > FIPS 140-2 level 3 > > CAPS Baseline > > NATO Green Restricted. Senetas encryptors include strong physical protection to prevent tampering or probing of the encryptors, such as attempts to access encryption keys. Further, hardware random number generators generate genuine random encryption keys that are stored securely within the encryptors protected physical enclosures. Router or switch based encryptors are not designed to provide an equivalent level of physical security. Consequently, this means that critical security parameters such as keys and passwords may be considerably more vulnerable and susceptible to physical compromise without such protection mechanisms. The use of network devices such as routers and switches as encryptors also fails to provide the optimal separation of duties between network and security management duties. Separation of duties is often referred to as a data security best practice. * End-to-end is a term used here to describe the transmitted data s whole journey where the data begins its journey encrypted until it completes its whole journey where it is then decrypted. ** Hop-by-hop is a term used to describe data s transit journey on a network. Each hop is when data reaches a device such as a switch. This differs to end-to-end where the data remains encrypted for the whole journey. *** Senetas encryptors hold all four leading independent, international testing authority certifications FIPS, NATO, Common Criteria and CAPS. **** Benchmarking methodology for network interconnect devices.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information