Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Similar documents
WAN Optimization in MPLS Networks- the Transparency Challenge!

Virtual Privacy vs. Real Security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Lab Developing ACLs to Implement Firewall Rule Sets

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

Cisco Which VPN Solution is Right for You?

IOS NAT Load Balancing for Two ISP Connections

WAN Optimization. Riverbed Steelhead Appliances

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

LinkProof And VPN Load Balancing

MS Series: VolP Deployment Guide

IP videoconferencing solution with ProCurve switches and Tandberg terminals

Firewall Troubleshooting

Flow Analysis Versus Packet Analysis. What Should You Choose?

- QoS Classification and Marking -

How Network Transparency Affects Application Acceleration Deployment

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Quality of Service (QoS) for Enterprise Networks. Learn How to Configure QoS on Cisco Routers. Share:

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

How To Extend Security Policies To Public Clouds

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Polycom. RealPresence Ready Firewall Traversal Tips

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Firewalls P+S Linux Router & Firewall 2013

Implementing Cisco Quality of Service QOS v2.5; 5 days, Instructor-led

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

How To Use The Cisco Wide Area Application Services (Waas) Network Module

the about MPLS security

What s New in VMware vsphere 5.5 Networking

Configure Policy-based Routing

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

TrustNet Group Encryption

November Defining the Value of MPLS VPNs

This topic lists the key mechanisms use to implement QoS in an IP network.

Introduction to Security and PIX Firewall

IMPLEMENTING CISCO QUALITY OF SERVICE V2.5 (QOS)

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

"Charting the Course to Your Success!" QOS - Implementing Cisco Quality of Service 2.5 Course Summary

Interconnecting Cisco Network Devices 1 Course, Class Outline

Sample Configuration Using the ip nat outside source static

The Basics. Configuring Campus Switches to Support Voice

NB6 Series Quality of Service (QoS) Setup (NB6Plus4, NB6Plus4W Rev1)

Best practices on cellular M2M deployment. Paul Bunnell November 2014

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Introduction. The Inherent Unpredictability of IP Networks # $# #

IP Office Technical Tip

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Cisco IOS Flexible NetFlow Technology

WAN Failover Scenarios Using Digi Wireless WAN Routers

IPv6 Fundamentals, Design, and Deployment

AlliedWare Plus OS How To. Configure QoS to prioritize SSH, Multicast, and VoIP Traffic. Introduction

21.4 Network Address Translation (NAT) NAT concept

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

AppDirector Load balancing IBM Websphere and AppXcel

GPRS / 3G Services: VPN solutions supported

WAN Optimization Integrated with Cisco Branch Office Routers Improves Application Performance and Lowers TCO

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Quality of Service (QoS) Setup Guide (NB604n)

IPv6 Security: How is the Client Secured?

OpenDaylight Project Proposal Dynamic Flow Management

Cisco Certified Security Professional (CCSP)

Lab Organizing CCENT Objectives by OSI Layer

The BANDIT Products in Virtual Private Networks

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

INTRODUCTION TO FIREWALL SECURITY

Network setup and troubleshooting

Configuring NetFlow-lite

Gaining Operational Efficiencies with the Enterasys S-Series

How To Learn Cisco Cisco Ios And Cisco Vlan

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Accurate End-to-End Performance Management Using CA Application Delivery Analysis and Cisco Wide Area Application Services

IP Filter/Firewall Setup

Network Virtualization Network Admission Control Deployment Guide


"Charting the Course...

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Configuring Auto-QoS

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Network Considerations for IP Video

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

athenahealth Interface Connectivity SSH Implementation Guide

Voice Over IP and Firewalls

LAN Planning Guide LAST UPDATED: 1 May LAN Planning Guide

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

NetFlow/IPFIX Various Thoughts

DS3 Performance Scaling on ISRs

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

Telepresence in an IPv6 World. Simplify the Transition

Cisco and Visual Network Systems: Implement an End-to-End Application Performance Management Solution for Managed Services

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

NATed Network Testing IxChariot

Transcription:

Certes Networks Layer 4 Encryption Network Services Impact Test Results

Executive Summary One of the largest service providers in the United States tested Certes Networks Layer 4 payload encryption over their MPLS network. In each test, the encrypted traffic traversed the MPLS network as expected. The PBR test was designed to bypass normal routing (via routing table). Interesting traffic was successfully routed after encryption using port-based PBR rules. The tests clearly demonstrated that the Certes Networks encryption solution passes packets with Layer 2 through Layer 4 headers in clear text while encrypting the data payload and without disrupting network services or applications. The unique capabilities of the Certes Networks Layer 4 encryption solution also makes troubleshooting an encrypted network easier. The Certes Networks Layer 4 encryption solution is designed to be completely agnostic to the WAN. If you have a working network, then the solution can surround and protect the network without impacting network services or applications. Note: The following encryption capabilities are not possible with traditional, appliance-based IPsec encryption solutions because all of the Layer 4 header information would be encrypted. -2-

Introduction Certes Networks has deployed multiple network encryption solutions on various types of networks around the world. When you need to encrypt your data in motion, Certes Networks makes it easy. Whether you need to protect a single link, or your entire network, Certes Networks eliminates the complexity of encrypting today s networks. Certes Networks has extended their encryption capabilities to include the ability to encrypt Layer 4 payload data while the Layer 4 header information remains in the clear. This functionality allows for Layer 4 network services to run while the data payload is encrypted. The Service Provider tested the Certes Networks Layer 4 encryption capabilities to measure the impact of the Certes Networks solution on CoS markings, Network Address Translation (NAT), Policy Based Routing and Netflow. The Tests In order to fully test the performance of the Certes Networks Layer 4 encryption solution, the following tests were performed. Class of Service (CoS) Markings after Encryption Test Setup: Two data streams were generated between two endpoint PCs using TCP ports 10 and 20. These TCP streams were sent with default DSCP (00) marking. They passed through the Certes Networks device with Layer 2, 3 and 4 headers in clear text. This was verified through packet capture on the remote side of Certes Networks appliance. -3-

On the Customer Edge (CE) router, an extended Access Control List (ACL) was configured to match on specific IP and TCP ports. TCP port 10 traffic was marked and classified into the Class 2 queue or DSCP AF31. TCP port 20 was classified into the Class 1 queue or DSCP EF. Classifications and markings were verified through "sho policy-map int" command. In addition, packets were captured on the far-end CE router (off the remote end of the Certes Networks appliance). TCP ports 10 and 20 traffic was clearly marked with DSCP AF31 and EF. Test Results: The markings were set correctly after encryption, passed through the MPLS network and were present after decryption. Network Address Translation (NAT) after Encryption Test Setup: NAT was enabled on the CE router to NAT the source IP address. Packets were sent from 10.64.44.x address. As they passed through the Certes Networks appliance, the data payload was encrypted while the address was preserved. The packets were then switched to the CE router. On the CE router, the 10.64.44.x address was translated to a 192.168.44.x address. Test Results: Even though the address translation occurred after encryption, Certes Networks was able to successfully decrypt the NAT'd packets. Traffic was properly decrypted at the other end with the NAT'ed IP address on the clear packet after decryption. Policy Based Routing (PBR) after Encryption Test Setup: On the CE router, PBR was set up to re-route packets based on Layer 4 port information. An extended ACL was setup to match on a specific IP -4-

and TCP port to redirect packets as it entered the router. Instead of following the normal routing (via routing table), interesting packets were routed based on PBR policies. Test Results: Although the data was encrypted, the traffic successfully bypassed the MPLS network based on the PBR port based rule. The CE router had no problem applying PBR rules based on the Layer 4 information of packets encrypted by CipherEngine. Capturing Netflow Statistics after Encryption Test Setup: Depending on the physical and logical placement of Netflow monitored devices, Netflow packets may or may not be encrypted. For this test, Netflow configuration and monitoring was set up on the CE routers beyond the encryption appliances. The 10.64.36.20 PC was configured as the Netflow collector and data was sent through the network. Test Results: The Netflow analyzer successfully collected address, protocol and port information after the data was encrypted using Layer 4 encryption. Layer 4 Encryption Tests Summary The tests clearly demonstrate that the Certes Networks encryption solution successfully passes packets with Layer 2 through Layer 4 headers in clear text while encrypting the rest of the packet over any network. They also prove that -5-

Certes Networks solution can encrypt data without disrupting network services or application performance. This allows customers to run Class of Service, Network Address Translation, Policy Based Routing, Netflow and any other router commands that may require Layer 4 information. Troubleshooting Benefit With traditional IPsec encryption, all packets are encrypted and marked as ESP (protocol 50) packets. If there is a problem with an application, network engineers are not able to identify the applications because the application port information is encrypted. This makes troubleshooting an encrypted network difficult. With the Certes Networks Layer 4 encryption solution, the information needed to identify the application remains in the clear on the packet, while the data itself is encrypted. This allows network engineers to troubleshoot a network that is encrypted using Layer 4 encryption with the same methodology as they normally do. About Certes Networks Certes Networks (formerly CipherOptics) is the leader in developing scalable security solutions for high performance networks. We provide advanced encryption and policy and key management solutions for securing wide area networks, and enable secure connectivity to private and public clouds. Certes Networks helps organizations improve security, decrease risk, and reduce the cost of compliance with data privacy regulations while enabling high performance and secure connectivity to critical infrastructures in the branch office, data center or in the cloud. -6-

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information