White Paper Using Carrier Ethernet to Create Cost Effective and Secure Wide Area Networks How Layer 2 Encryption Enables Better Use of Bandwidth Sherman Schlar Schlar Consulting Group April 2010 Schlar Consulting Group 21 Garland Road West Hartford, CT 06107 USA 860.236.9588 www.schlarconsulting.com Study sponsored by:
Table of Contents Executive Summary... 3 Introduction... 3 Carrier Ethernet Networks... 4 Carrier Ethernet Networks and High Speed Highway Systems... 4 Secure Carrier Ethernet Networks... 5 General Approaches to Network Security... 5 Carrier Ethernet s Rise in Popularity... 5 Ethernet Encryption... 6 Topologies... 7 The Need for Encryption... 7 Encryption as Applied to Carrier Networks... 8 Layer 2 Encryption... 9 Layer 3 Encryption... 9 Best Practices and Applications... 10 Summary... 10 Thales Datacryptor... 11 About the Author... 11 About Thales... 11 Schlar Consulting Group Page 2
Executive Summary As government and corporate network traffic continues to increase and new applications such as video conferencing and collaboration have gone mainstream, IT managers are challenged to keep up with these demands while maintaining reasonable operating costs. This problem is particularly apparent in wide area networks (WANs) due to the high cost and limited bandwidth associated with legacy private connections. Many of today s aging private networks are no longer able to meet traffic demands, so migration to higher capacity transport services are often provisioned to resolve this issue. A number of leading network service providers now offer innovative Carrier Ethernet network services which deliver high speed WAN connectivity at affordable rates. These Ethernet-based services integrate easily with existing local area network (LAN) topologies and equipment, making their economic and technical advantages attractive to enterprise customers. According to a recent report issued by the Insight Research Corporation 1, these services are one of the fastest growing segments of the telecom market and are experiencing annual growth rates of around 30 per cent. While end-to-end Ethernet data transport offers tremendous advantages to the enterprise, the service offerings are not inherently secure. Government organizations and enterprises must remain vigilant in maintaining network security when selecting a shared public Carrier Ethernet service. Several different approaches to network-based encryption have emerged that successfully address this need. This paper addresses the concerns often expressed by Chief Information Officers (CIOs), Chief Information Security Officers (CSIOs), and network architects when faced with balancing cost and risks associated with data transport over shared infrastructures. The focus of this paper is on how network encryption can be combined with Carrier Ethernet services to build scalable and secure high performance WANs that meet current and future customer demands. Introduction Today s cost conscious businesses and corporations are continually looking for ways to improve the efficiency and performance of their IT infrastructure while simultaneously controlling costs. For companies with multiple locations or geographically dispersed facilities, recurring wide area data and voice network costs are major components in their overall IT budget, often amounting to tens or hundreds of thousands of dollars per month. While many businesses still rely on traditional leased line networks for their wide area data and voice networking, the bandwidth and performance of these legacy networks are no longer adequate to meet the needs of most businesses. Through unplanned growth cycles and ad hoc network installations, many enterprises still maintain separate voice, data, and video networks. Many of these companies have come to realize that the bandwidth, equipment, and support costs associated with 1 http://www.insight-corp.com/reports/ethernet09.asp Schlar Consulting Group Page 3
maintaining separate networks make this un-architected approach a poor choice and are turning to new Ethernet services to consolidate their infrastructure end-to-end. While offering tremendous operational advantages, Carrier Ethernet as a shared service exposes data to an environment that is more vulnerable to interception and compromise. As a result, finding and applying technologies to mitigate these risks is imperative in order to take full advantage of these new data transport options available to the enterprise customer. Carrier Ethernet Networks Recent innovations in carrier-based WANs have created several attractive alternatives to dedicated or leased line, Asynchronous Transfer Mode (ATM), and Frame Relay services among others. For the purpose of this paper, we ll refer to the new carrier-based WANs as Carrier Ethernet, but commercially, the offerings are marketed under a variety of different names, including WAN Ethernet, End-to-End Ethernet, Metro Ethernet, and Ethernet Private Line (EPL). These services operate over shared optical backbones and are available in the U.S. and globally from a variety of leading service providers. All offer affordable high performance LAN or near-lan speed wide area connectivity and connect directly to conventional Ethernet routers and switches, making them easy to install, configure, and maintain. At the low end, services typically start at bandwidths of 10 Mbits/second extending up to 10 Gbits/second. These network services also support a variety of network topologies, including point-to-point, multipoint, hub and spoke, and mesh. Scalable bandwidth is also available, so network capacity across these links can be easily provisioned as traffic increases. Carrier Ethernet Networks and High Speed Highway Systems One way to understand how Ethernet LANs and Carrier Ethernet WANs seamlessly work together is with an analogy to the local and high-speed road system. In the early twentieth century, cities and towns across developing nations had their own network of paved local roads. Using this network of roads, drivers could easily travel throughout their neighborhood or across town. Getting out of town, however, was another matter altogether. Not far past city limits, well-paved local roads soon disappeared, replaced by slow and narrow country roads. As a result, long distance intercity travel by automobile was nonexistent and the only feasible alternative was by railroad where available. With the advent of high-speed highways connecting cities within continents, end-to-end automobile travel became possible. A similar analogy holds true when connecting separate Ethernet LANs together with Carrier Ethernet WANs. With end-to-end Ethernet networking, data moves seamlessly across the network at high-speed, linking together all sites with a single, easily managed high performance network. Schlar Consulting Group Page 4
Secure Carrier Ethernet Networks Whether using private lines or a Carrier Ethernet service, network security remains a critical priority for the CIO and CISO in the enterprise. Security experts and industry analysts agree that data security is essential to protect sensitive corporate information in any network. We will next focus on the use of Ethernet Layer 2 encryption as the technology of choice for protecting Carrier Ethernet WAN services. General Approaches to Network Security The threats facing today s high-speed networks and corporate computer systems continue to grow at an alarming rate. The Carrier Ethernet s Rise in Popularity The popularity of Carrier Ethernet services is mainly driven by its simplicity and resulting cost-effectiveness. The underlying physical and data links protocols used in these services are transparent to the traffic they support, making them easy to install and configure. To network operations managers, Ethernet WANs look like extended LANs and thus are easy to configure. Numerous prominent customers have effectively deployed these networks in a wide variety of ways over the past five years, validating their performance, capacity, reliability, and economic value. With improvements in network transport, monitoring, and rerouting technologies, network reliability for these services measures up to 99.999% availability; enabling them to be used for the most demanding high-reliability applications. To back up reliability claims with verifiable hard numbers, many carriers also offer Quality of Service (QoS) guarantees and Service Level Agreements (SLAs) to their customers, making their offerings exceedingly attractive. motivation behind these threats varies depending on the nature of the application and may be political or economic in nature. Network and computer system break-ins can also be very costly to business. As an example, the industry publication Digital Transactions reported in its July 2009 edition that the average cost of a data breach reached $6.7 million, not including legal or other expenses 2. As networks expand their geographic reach, the number of entry points also increases, further compounding risk. Nationally recognized security agencies like Carnegie Mellon University s Computer Emergency Readiness Team (CERT) 3 and the Federal Government s US-CERT 4 office recommend that companies implement protection strategies on an enterprise wide basis to mitigate risk and protect valuable corporate assets. Protection strategies used in today s highly distributed data processing environment include authentication, physical level security, perimeter security, encryption, network resiliency, and auditing. As recommended by leading security experts and agencies, a comprehensive, multilayered network security 2 http://www.digitaltransactions.net/archivemag.cfm 3 http://www.cert.org/cert/ 4 http://www.us-cert.gov/index.html Schlar Consulting Group Page 5
model has been proven to reduce network vulnerabilities in a cost effective manner. In addition to improving security for distributed LANs and WANs, this multilayer/multizone approach gains strength through the use of multiple intrusion barriers and improved perimeter defenses. This concept of defense in depth increases the level of difficulty and thus lessens the probability of a successful attack. Ethernet Encryption The Ethernet data transmission protocol now used for end-to-end carrier services was originally developed for LANs in the 1980s and was approved as the official IEEE 802.3 standard by the Institute of Electrical and Electronics Engineers in 1985. Over the past several decades, Ethernet has proven itself an extremely scalable and versatile protocol, far outstripping its original 10 Mbit/sec data rate to now run at speeds of 10 Gbit/sec and more. Operating as a data link protocol at Layer 2 of the standards-based Open Systems Interconnect (OSI) protocol stack, Ethernet can run on top of a wide variety of Layer 1 physical media, including copper (wire), optical (fiber), and wireless networks. At a technical level, data is transmitted across an Ethernet network in the form of variable length frames. Each frame contains a short header, a data or payload field, and a short trailer or frame checksum. The header contains both the source and destination address of the frame and is used to deliver the frame to the proper recipient. In unencrypted Ethernet transmission, the data field or payload portion of the frame is sent in human readable clear text. When encryption is used, the Ethernet header will sometimes remain in the clear and only the data field is encrypted. Other Ethernet encryption techniques include bulk and tunnel mode encryption. Bulk modes encrypt the entire Ethernet frame (including the header) and thus are used only for private point-to-point dark fiber circuits. Tunnel modes also encrypt the entire Ethernet frame, but permits routing by adding a new header to each frame. Depending on their application and network topologies, customers will use one of these three general Ethernet encryption methods. Original Ethernet Frame Header Data Payload FCS Clear Header Payload Encryption Header Data Payload FCS Bulk Encryption Header Data Payload FCS Tunnel Encryption New Header Header Data Payload FCS FCS Figure 1. Normal and encrypted Ethernet frames Schlar Consulting Group Page 6
Topologies Local Ethernet network segments are connected together by bridges, routers, and switches, which in turn feed other bridges, routers, and switches. Data is transmitted across the network from one end of the network to the other on a hop-by-hop basis. Large networks comprised of routers and switches can be arranged in a variety of layouts or topologies. In the WAN, common Ethernet topologies include point-topoint, star, and multipoint (also known as fully-meshed) networks. Figure 2. Point-to-point, star, and fully meshed topologies In addition to cost and network resiliency, the choice of network topology has a direct bearing on the higher layer application traffic, performance characteristics, and capacity of the network. Traffic on a network can include voice, data, file transfer, and video: each has its own unique flow characteristics and requirements. For example, Voice over IP (VoIP) phone calls are sent across the network in small size packets. Since the human ear is sensitive to voice timing fluctuations, network delay or latency affecting the flow of these packets greatly impacts the quality of voice communications. Although the bandwidth consumed by a single voice call is low, the performance of the network is still important. Data traffic, on the other hand, can be more tolerant to latencies, but large file transfers such as those employed for disaster recovery replication, are generally bandwidth intensive. Video streams combining images and voice are also latency-sensitive and consume much more bandwidth than voice. The Need for Encryption In today s security conscious corporate environments, network encryption has become an absolute requirement. As more and more data is used to conduct daily operations and IT environments have become more distributed, the exposure level has thus increased. Securing the confidentiality and integrity of data is critically important in order to safeguard privacy, protect against fraud, and comply with growing government and industry regulations. In the United States, strict federal regulations governing these concerns include the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and others covering encryption for private information and healthcare data. Schlar Consulting Group Page 7
Similar regulations like the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS) apply to the financial services industry. Internationally, equivalent sets of data security standards include the European Union Data Protection Directive (EUDPD), Canada s Personal Information Protection and Electronics Document Act (PIPEDA), and the Basel Accords, issued by the Basel Committee on Banking Supervision. These strict regulations reinforce the fact that the implications of a security breach can be severe on multiple fronts. The sheer cost of recovering lost data and records, lost organizational productivity due to system outages, and fines for the release of sensitive personal information can easily cost millions of dollars. Equally burdensome legal expenses and damage to corporate reputations further compound these major expenses. Encryption as Applied to Carrier Networks Network-based encryption has been used for many years and can be applied at different layers in the OSI protocol stack. Most commonly, this is done at either Layer 2 or Layer 3, although some protocols like Secure Socket Layer (SSL) provide encryption at a higher layer. In a Carrier Ethernet network, encryption is done at the edge of the WAN network and can be performed at either Layer 2 or Layer 3. The value of doing lower layer encryption is that all network traffic is encrypted; and therefore there is no need to finetune encryption parameters for each type of protocol or application. Another significant benefit is the fact that this gives the customer control over their own network security and key management, allowing them to use their internal security staff and thus maintain full independence from the carrier. As previously stated, there are several forms of encryption typically used for carrier networks, each with their own merits and deficiencies. Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Layer 1 Physical Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Layer 1 Physical Figure 3. Layer 2 vs. Layer 3 encryption (OSI model) Schlar Consulting Group Page 8
Layer 2 Encryption To reach the level of performance needed to run at Gigabit Ethernet data rates, Layer 2 encryption is generally done in hardware, offering significant benefits including: The ability to run at full wire or optical fiber data rates, up to 10 Gbits/sec Very low latencies in the order of microseconds with no measureable impact on applications Very low overhead with little or no frame expansion High throughput, even with small frame/packet sizes No affect on the higher layer IP routing network design Because latency-sensitive applications like VoIP and video typically employ short frame/packets, expansion of these thus have a multiplying effect that consumes large amounts of bandwidth. Low overheads offered by Layer 2 encryption also improves throughput and allows for a more effective use of the available bandwidth. Layer 3 Encryption Many routers offer embedded standards-based Layer 3 IP encryption (IPSec). This protocol is commonly used in internal corporate networks (Intranets) to create virtual private networks (VPNs). Although popular, Layer 3 encryption has significant drawbacks, the first being data throughput. IPSec works by appending an additional header to every packet sent across the network. This second packet header can be up to 57 bytes in length, so for short 64 or 128 byte packets (as used for voice), this header can add upwards of 60% of additional overhead to every packet. The result is a dramatic reduction in throughput for small and medium sized packets that, for most companies, comprise the majority of all data traffic. Due to this processing overhead, even full sized 1514 byte packets cannot achieve full wire speed data rates. A second important deficiency with Layer 3 IPSec encryption is increased latency. The internal data path of an IP encryptor and router, for example, is far longer than a comparable line encryption device. Packets enter the switch on a WAN card, get forwarded to the processor card and encryption card, and then pass in the reverse order through all these cards as they leave the router. A similar path is repeated on the receiving end at the decryption device. When using IPSec, the combination of high packet overhead, per packet processing, and inefficient hardware design has been shown to add as much as 50% additional delay to a network. Due to packet fragmentation, latency is also increased for larger sized packets. The latency incurred with IPSec is generally an order of magnitude higher than with Layer 2 encryption making the process increasingly inefficient for today s demanding applications. Schlar Consulting Group Page 9
Best Practices and Applications The combination of Carrier Ethernet networks and Layer 2 encryption meets the four most important network objectives of government and enterprise customers: security, high WAN bandwidth, greater geographic reach, and affordability. By employing robust encryption where it best fits within the network, customers can utilize it as an enabling technology that allows them to take advantage of efficient and cost-effective carrier services. Ethernet Layer 2 encryption with robust cryptography using the Advanced Encryption Standard (AES) with 256-bit key lengths not only provides the strongest cipher commercially available to protect the confidentiality and integrity of the data in transit across these networks, but it also enables the customer to be in full control of security, independent of the carrier service. Providing minimum overhead and latency over alternative encryption methods, Ethernet Layer 2 encryption ensures maximum utilization of the bandwidth being purchased and provides a mechanism for compliance with important data security regulations. Some of the more common applications for this combined approach include: Disaster recovery data replication (main site to backup sites) Data center connectivity (multiple processing and storage sites) Secure integrated data, voice, and video Given the large size of today s databases and file storage systems, data replication and remote backup services involving terabyte or petabyte file transfers require large amounts of wide area bandwidth. The scalable bandwidth and high-speed 10 Gbit/sec connectivity offered by Carrier Ethernet networks is ideal for this application. Similar high bandwidth applications like disaster recovery and business continuity benefit from this approach. Transaction focused financial services and banking industries also gain from the performance and security available with this technology. Summary As new bandwidth-intensive applications emerge and the volume of corporate data continues to grow at an unprecedented rate, many corporations are looking to Thales Datacryptor Thales offers a leading Layer 2 encryption solution. The Datacryptor Ethernet Layer 2 encryption platforms are built specifically for the highbandwidth and low latency needs of government and enterprise customers. The family of stand-alone, hardwarebased encryptors is available in a variety of models addressing speeds from 10 Mbit/sec to 10 Gbit/sec pointto-point and multipoint networks. As legacy data, voice, and video networks converge onto a single high-speed common backbone, Carrier Ethernets offer an excellent mix of flexibility, scalability, wide domestic or international reach, high availability, and affordability. Thales Datacryptors can help customers secure these carrier services in a variety of ways to match a customer s existing WAN topologies. upgrade or replace their existing networks. Businesses, however, must balance their need for high performance solutions with the equally important criteria of security and affordability. For government and Schlar Consulting Group Page 10
enterprise organizations with large WANs, the shift away from privately owned and managed facilities towards the use of Carrier Ethernet end-to-end services is well underway. Although geographic network expansion increases exposure, security risks can be mitigated with the use of strong encryption technologies. Customers are advised to follow the recommendations of leading security agencies and adopt comprehensive, multi-tiered approach to security. CIOs, CISOs, and Network Architects should consider the use of Carrier Ethernet networks and Layer 2 Ethernet encryption as part of their overall corporate networking strategy. By providing the advantages outlined herein, Layer 2 encryption can allow users to fully experience the benefits and cost-effectiveness of end-to-end Ethernet connectivity by securely maximizing the use of available bandwidth. About the Author Sherman Schlar is an independent industry consultant and 30-year veteran of the data networking, streaming video, and videoconferencing industries. His background includes systems engineering, Quality Assurance testing, DoD security validation, product certification, and product management. During his long career, he managed one of world s largest private packet switched networks and has worked closely with major domestic carriers as well as leading European carriers and service providers in England, France, and Germany. Sherman is the author of a best selling book on the X.25 protocol as well as numerous trade magazine articles, white papers, and technical bulletins. His current interests include desktop video and collaboration platforms as well as the use of corporate broadband and social networks to conserve energy and enhance productivity and educational effectiveness. He is the President of the Schlar Consulting Group (www.schlarconsulting.com) and resides in West Hartford, Connecticut. About Thales Thales is one of the world leaders in the provision of information and communication systems security solutions for government, defense, critical infrastructure operators, enterprises, and the finance industry. Thales unique position in the market is due to its end-to-end security offering spanning the entire value chain in the security domain. The comprehensive offering includes architecture design, security and encryption product development, evaluation and certification preparation, and through-life management services. Thales has an unrivalled 40-year track record of protecting information ranging from sensitive but unclassified up to top secret, as well as a comprehensive portfolio of security products and services, including network security products, application security products, and secured telephony products. To learn more, please visit http://iss.thalesgroup.com. Schlar Consulting Group Page 11