Packet Pushers – Living With Encryption

There are some great online technology forums available for data networking professionals, providing everything from white papers to podcasts. I recently stumbled upon a round table discussion on Packet Pushers where, among other things, the guests were discussing options for encryption “on the wire” (EG. Layer 2 network data encryption).

One contributor works for a public-sector organization with an extensive, multi-point to multi-point dark fibre network. The sensitive nature of certain data types required that the data should be encrypted when in motion – particularly when it left the building.

From a philosophical standpoint, the guest believed that end-to-end encryption was the only way to guarantee the security of the data. However, internal pressure to simply meet compliance objectives and tick boxes was pushing them towards a solution based on MACSec encryption standards.

What followed was an interesting discussion of the merits of MACsec versus VDI, SD-WAN and dedicated (high-assurance) Layer 2 encryption hardware.

Although MACsec was being promoted internally, it was clear from all the contributors that it didn’t represent the best option. It was also evident that each of the guests had had negative experiences with MACsec in the past.

First of all, a rush to encryption compliance for whatever reason (for example, the impending General Data Protection Regulations in the EU) is never a good idea – act in haste, repent at leisure.

While MACsec-based encryption may be embedded in network switches or routers, making them multi-function devices, it doesn’t represent an optimal application of encryption security. So much so, that some security experts refer to it as “low-assurance” encryption.

To start with, there is a limited amount of hardware that supports MACsec, so device compatibility is an issue. Secondly, MACsec does not support complex meshed topologies. Thirdly, and more importantly, key security is rarely deployed effectively, leading to fundamental vulnerabilities.

The roundtable contributors were somewhat blunter in their assessment, referring to it as “a poor man’s solution” that is “generally unsafe”.


Encryption Solutions Compared

Moving on from MACsec, the guests discussed VDI and SD WAN as alternatives. While each has their merits, they also have their limitations. SD WAN vendors can offer some cost-effective encryption options, but they don’t work across high-speed networks operating at 10Gbps or more.

As a vendor of dedicated hardware encryption, I was interested to see what their take on Layer 2 encryption would be. There are some long-held misconceptions about encryption hardware that still seem to be prevalent amongst the network engineering community.

First, that hardware encryption is exclusively used by the military. While the robust nature of certified hardware encryption makes it suitable for government and defence applications, these are not the only organizations to benefit from high-assurance encryption. Large and small enterprises, data centre and cloud service providers across the world are using Senetas CN Series encryptors to protect data in motion across networks from 10Mbps to 100Gbps.

Second, that hardware encryption is complex. This just isn’t the case. Centralised, local or remote encryptor management makes deployment and configuration simple. Senetas CN Series encryptors are transparent to the network and feature set-and-forget simplicity. They also impart near zero latency and minimum network overhead, so they offer maximum security without compromising network performance.

Finally, there is also a perception that hardware encryption is prohibitively expensive. In the Packet Pushers podcast, the guests refer to large enterprises being able to afford it, but that it’s not such a viable option for public-sector organizations.

There may have been a time when this was true, but the price of dedicated hardware has come down significantly over the last ten years. Today, low-cost, small form factor encryptors are also available. Operating at full-line rate over 1Gbps links, they allow even small businesses to benefit from end-to-end, authenticated encryption.

Like many IT and communications technologies, simply comparing the initial purchase price (direct cost) is not a fair basis for decision making. You need to look at the total cost of ownership (TCO) over the lifespan of the investment. TCO takes into account the original purchase price, but also includes indirect costs, overhead and an allowance for those “hidden” costs that inevitably occur.

Some of the additional costs associated with low-assurance alternatives include the need to undertake regular security patches/updates (and the associated disruption to network availability that comes with this), plus the costs incurred as a result of network vulnerabilities. The truth is, over time, the ROI on dedicated hardware often outweighs its low-assurance competitors.

Take a look at our infographic for more on TCO versus ROI.