Virtual Privacy vs. Real Security
Certes Networks at a glance Leader in Multi-Layer Encryption Offices throughout North America, Asia and Europe Growing installed based with customers in 37 countries Developing high performance security solutions for wide-area networks, data centers and public cloud CERTES 2011 2
Product Milestones and Industry Firsts First 1Gbps Ethernet Encryption Appliance - 2003 First Release of CipherEngine - 2006 First Multi-Layer Encryption Appliances - 2008 First Variable Speed Encryption Appliances -2010 First Multi-Layer 10Gbps Encryptor -2011 CERTES 2011 3
Customers and Partners CERTES 2011 4
Where is your data NOT protected What is your security solution for here? Perimeter Security Defense in Depth Your Carrier says the WAN is secure because it s Virtually Private This may have been true in 1998 - but today it s a dangerous & outdated concept CERTES 2011 5
Who is it we are defending against? 9600 Baud Baby! CERTES 2011 6
Does Privacy Equal Security? The SP says the network is secure A Product Director said security was built in to MPLS based on the following: Traffic streams are kept separate There are controls around provisioning and management There are gateways between the Public Internet and the MPLS Because they have tools to identify malicious activity CERTES 2011 7
What is MPLS? MPLS is primarily a packet forwarding technology Traffic forwarding is based on label A packet can have multiple labels Other services have been added over the years Layer 2 or 3 VPNs Traffic Shaping Monitoring Services 1. A label is added to the packet at the edge of the MPLS network MPLS backbone 3. The label is removed when reaching the customer network 8 2. Packets are moved across the backbone using labels. The labels are swapped out by backbone routers CERTES 2011 8
MPLS is not secure! MPLS Facts: MPLS does not provide Protection against mis-configurations Protection from attacks within the core Confidentiality, authentication or data integrity Customer Security TC TC = Traffic Class The MPLS header contains no security The IP Packet (Data Payload) is left in the clear CERTES 2011 9
Virtual Privacy is not Real Security VPN s segment data - Privacy and Virtual Privacy are not the same as Security! MPLS (VPLS) Data is sent in the clear Metro Ethernet - Data is sent in the clear Internet Internet VPN Threats to Data in Motion Human/Machine errors often result in your data being sent to other VPN customers Man in the middle, BotNets and DDoS attacks Undetectable Data Sniffing, and Theft Easily circumvented branch firewalls leave HQ and DCs vulnerable CERTES 2011 10
The trade off between performance and security Performance Security Modern Networks Require Any to Any Connectivity Scalability High Speed-Low Latency Performance High Availability Architectures (load balancing, DR) Layer 2-4 Services Traditional Network Encryption Limited to Point to Point connections Exponentially complex with scale Induces latency and chokes throughput Requires manual fail over procedures Masks Headers CERTES 2011 11
Group Encryption Provides Security and Performance Our Modern Approach to Encryption Define Polices based on you existing Network or Application Topologies Topologies Applications Mesh Voice Hub and Spoke Video Multicast Control Data Hybrids FTP or other protocols Create the Keys needed to support the Policies CipherEngine uses standards based security protocols AES 256 SHA-1 IPsec Performance Security Enforce the policies without creating tunnels Preserve native routing/switching protocols and paths Layer 2 - encrypt by VLAN Layer 3 - preserve IP routs and subnets Layer 4 - maintain traffic shaping and Netflow/Jflow while encrypting By designing encryption for modern networks, we made it easy to install, and transparent to paths and performance CERTES 2011 12
Transparent Network Security Back-up Data Center Primary Data Center Traffic If With encryption the CipherEngine Primary flows from is DC required, fails the both remote Nothing DCs a relationship (and office the to is created associated the Happens! primary between CEPs) data center. routers, are defined limiting Hubs load and balancing all of the Branches are defined as Packets Using spokesdead are peer load detection balanced at a new the head tunnel will endbe nailed up to the secondary after 90 seconds of lost packets. Because the headers remain in the clear, load balancing works with encryption. In the event of failure at the Primary In the event of a failover, traffic is rerouted with minimal packet loss because DC traffic fails over to the secondary site with minimal packet loss and no user there are no tunnels, and the Secondary intervention DC already had the correct key Remote Office Remote Office Remote Office Unencrypted traffic Encrypted traffic Remote Office CERTES 2011 13
Case Studies
Financial Services Compliance driven requirements for encryption over WAN Multiple Data Centers connecting to 155 Member Banks throughout world Required low latency performance with AES 256 encryption Must support DUAL CARRIERS (no IPsec tunnels) Data Center #3 Data Center #2 Data Center #4 Data Center #1 Provider B Member Bank 155 CipherEngine Provider A Redundancy designed into the network architecture Encrypted traffic load balanced across carries under single policy No SLAs reduced or violated Member Bank 1 CERTES 2011 15
Manufacturing and IP Protection Concerned about last mile security Policies defined and encryption keys generated and managed from Headquarter in the U.S. Multiple real-time application on an accelerated WAN Multiple China Locations China Telecom CipherEngine Hong Kong Location U.S. Headquarters Hong Kong Telecom KDDI Telecom Leased MPLS Service Tata Indiacom SingTel Deutsche Telekom Singapore R&D Germany Location Japan Location India Location 30 fully meshed sites - growing to 300 L4 encryption solution offers stealth encryption - not detectable by the carrier CERTES 2011 16
Metro Ethernet Encryption Phased roll-out from 4 meshed sites to 26 total locations Native Layer 2 encryption for new Metro Ethernet service Encryption is segmented by VLAN IDs Policies and key manages by CipherEngine located in Headquarters Simple expansion as new sites are added CipherEngine VLAN 5, 6 Metro Ethernet Network VLAN 7 VLAN 5 VLAN 6 CERTES 2011 17
Utilities, Smart Grid and SCADA Networks Delivers hydroelectric power to one of the largest grids in the country Solution secures Command and Control traffic as part of disaster recovery plan Required low-latency Layer 2 encryption Back Up Site Recovery Site Private Layer 2 Network Control Center Hydro Plant Critical Infrastructure includes all utility, communication and rail control grids Policy prevents the DOE from doing press releases, but they have provided direct references to other utilities CERTES CIPHEROPTICS 2011 18
Video Content and IPTV Providers Protection of easily replicated digital assets Low Latency AES 256 Performance Multicast Support Longer term migration to Cloud TV services IPTV Source 5 Local (City) Distribution sites Layer 3 Backbone NC CipherEngine FL LA Mo FL CERTES 2011 19
Government Customer required security for mission critical services Deployment to support 288 load balanced connections to WAN Required Low Latency performance using AES 256 Headquarters supported load balanced 1G interfaces w/ low latency 288 Embassies MoFA Headquarters Leased MPLS Service CipherEngine Redundant CEPs located at each site Full Mesh encrypted traffic between sites CERTES 2011 20
Managed Services Hub and Spoke topology More than 130 branches being served Each credit union has own VPN back to SP data center Concerned about protecting customer financial data between credit union locations and SP data center All branch locations configured in this manner Backup Internet Router Internet Internet to MPLS Gateway Leased MPLS Service Branch Location Headquarter Data Center Credit unions deployed CEP10s within their ATM machines Demanded encryption from AT&T as part of an MPLS migration CERTES 2011 21
Encrypted Voice Services 250 sites fully meshed on a MPLS backbone Each branch location has multiple users and VoIP One policy governs the encryption for the entire network The branch locations below is replicated at all 248 individual branches CipherEngine Data Center Headquarters Leased MPLS Service Branch Office Branch Office CERTES 2011 22
Products: Layer 2/3/4 3Mbps to 10Gbps Variable Speed Encryption Managed with CipherEngine Line Rate Performance Low Latency High Performance Standards Based CERTES 2011 23
CipherOptics Products HW: HW accelerated variable speed network encryption appliances with aggregate throughputs from 3Mbps - 10Gbps CEP 10 VSE Speeds 3 Mbps Encryptor 6 Mbps Encryptor 10 Mbps Encryptor 25 Mbps Encryptor 50 Mbps Encryptor CEP 100 VSE Speeds 100 Mbps Encryptor 155 Mbps Encryptor 250 Mbps Encryptor SW: Network transparent L2 Ethernet frame, L3 IPsec based encryption with IP header preservation, L4 UDP/TCP payload encryption and Virtual IP Tunnelling CEP 1000 VSE Speeds 500 Mbps Encryptor 650 Mbps Encryptor 1000 Mbps Encryptor CEP 10G VSE Speeds 2.5 Gbps Encryptor 5 gbps Encryptor 10 Gbps Encryptor CERTES 2011 24
IPSec VPN Tunnels Vs. Group Encryption Traditional IPsec Certes Networks Group Encryption Problem Point to Point - Tunnel Based Difficult to set up and manage Requires added personnel to maintain Slows network performance Doesn t support dual carrier environments Slows or breaks multicast No Layer 4 Network Services Solution No Tunnels! - Line rate performance Easy to setup, configure and manage Single location or person can administer Supports dual carrier networks VoIP and Video compatible Compatible with Multicast applications Preserves Layer 4 Services CipherEngine Policy & Key Manager IP (Public or Private), MPLS, or Ethernet Site D CERTES 2011 25
Thank You!