Network Encryption: Today's Challenge
Few organizations today have access to truly private and secure networks; instead, they share network infrastructure with other organizations. As a result, information traveling over these public or virtual private networks is often vulnerable to interception. Quite rightly, many of today’s data privacy requirements and standards include, as a baseline level of protection, a mandate to protect data in motion. While organizations can choose to encrypt selected data at the application level or within databases or other storage environments, the bulk protection of data flowing over a network provides a blunt but very effective instrument for adding an extra layer of security. Network encryption guards against regulated data inadvertently being sent in the clear and also provides valuable protection for all other classes of data that perhaps do not justify dedicated protection but nonetheless are still considered sensitive. Although network-level encryption is a relatively mature technology, organizations need to make several choices when deciding what kind of network encryption to deploy:
- Which networks should have their traffic encrypted? Most networks are ‘open’ to some degree, but some are much more open than others. Internal wired networks might be considered vulnerable only for the most sensitive data, since they still suffer from the threat of insider attacks, whereas backbone networks and wide area network (WAN) connections usually deserve more consideration as they typically use shared pipes from external service providers. In almost all settings, organizations will want to encrypt traffic over wireless local area networks (LANs), wireless WANs, and, of course, the Internet. This page focuses mainly on WAN encryption.
- Should traffic be encrypted at Layer 2 or Layer 3 in the OSI Network Model? At stake in this choice are overhead and the potential waste of bandwidth. Applying encryption at Layer 3, using well-known protocols such as IPsec, creates the need to preserve routing information used by equipment throughout the network. This imposes a significant overhead, ultimately affecting capacity and latency. Layer 2 encryption operates at a lower layer and is independent of the routing information and flow-management techniques that exist at Layer 3, and is more efficient in most cases. That said, IPsec, remains the most common form of network encryption for all but high-speed data-center-to-data-center connections where bandwidth and latency are most critical.
- Are your security needs best served by embedded or standalone encryption? Since network-level encryption is a relatively mature technology, it is commonly available as an embedded or native feature of routing or switching equipment. Standalone encryption platforms provide an alternative to embedded encryption—one that delivers a higher level of assurance and benefits from purpose-built key management capabilities. Standalone encryption platforms are independently certified against security benchmarks such as FIPS 140 and Common Criteria, offer tamper resistance, and offer features that enable organizations to enforce a strong separation of duties between network administrators and security officers.
Standalone network encryption platforms are particularly valuable for high-speed connections between data centers. Globally interconnected organizations and service providers require the combination of optimized bandwidth, unshakeable resilience, and security for critical systems such as storage area networks (SANs), transaction systems, and cloud computing. The ability to secure these backbone connections as transparently as possible becomes a critical success factor for enterprises and a valuable differentiator for network service providers.
- Attackers can “eavesdrop” on unencrypted data traveling over a network, not only impacting privacy but potentially opening the potential to modify or substitute data as a way to stage more sophisticated attacks.
- Because industry mandates often require protection for data in motion, organizations that do not implement this protection risk fines, embarrassing data breach disclosure statements, and resulting damage to their reputation.
- Depending on the application, encryption capabilities embedded in routers and switches may not offer the combination of security and performance you need.
Network Encryption: Thales e-Security Solutions
Using standalone network encryption platforms from Thales e-Security, you can deploy proven solutions to maximize confidence that your sensitive, high-value data will not be compromised during transport. Datacryptor network encryption platforms offer increased levels of protection over both unencrypted data transport and basic encryption capabilities embedded in routers and switches.
The Datacryptor family of network encryption platforms is designed to offer the widest range of support for different network types, encryption protocols, and certification levels—while delivering state-of-the-art throughput and latency. This ideal combination of security, performance, and deployment flexibility is essential for organizations and service providers wishing to secure point-to-point and multipoint networks where latency, bandwidth utilization, and powerful separation of duties are of utmost importance. Typical usage scenarios include:
- Institutions or organizations with geographically distributed offices interconnect by virtual private networks.
- Organizations with mirrored or replicated data centers using high-speed wide area network (WAN) connections.
- Organizations using microwave or radio based campus networks.
- Service providers wishing to provide premium, encrypted data networking services.
- Governments wishing to support national algorithms or key management practices for high assurance restricted networks.
- Deploy a high assurance network encryption solution with a proven legacy of more than 20 years.
- Utilize the most cost-effective data transport medium, network speed, and protocol for your needs. Datacryptor platforms are available for IP, Layer 2 Ethernet, E1/T1 & E3/T3, SONET/SDH, Link, and Frame Relay.
- Take advantage of security capabilities that are not achievable with native encryption capabilities found in network switches and routers—such as tamper resistant physical hardening, strong authentication for administrators, hardware-based key generation, and embedded and remote key management.
- Reduce risk of insider attacks by enforcing separation of duties between network administrators and security officers.
- For organizations wishing to deploy country-specific or sovereign encryption algorithms and key management standards it is possible to minimize costs through the use off-the-shelf encryption devices that can be customized and reprogrammed to meet specific requirements.
- Simplify compliance by using devices accredited to global security standards such FIPS and Common Criteria and regional certifications such as UK CESG/CAPS.