Research proves router encryption vulnerability and supports the case for best practice, high assurance, encryption solutions
High-Assurance Network Security
When it comes to network data security, consolidation and simplification of your security estate can help reduce overhead, speed up deployment and reduce exposure to risk. Similarly, adopting an agile, policy-based approach to security can deliver further cost and time savings.
However, this doesn’t go far enough. Security within the data centre is a hot topic at the moment and recent months have borne out the concerns of security experts in regards to “embedded encryption” in routers and other network devices.
Whilst manufacturers of network equipment have promised robust data security by embedding encryption within their routers, it appears that the opposite is true. For a number of years, it has been suspected that routers do not make effective security devices because they fail to deliver against a number of key security requirements.
Best-practice encryption key management is one of these.
In their 2015 report SEC Consult highlights some serious encryption weaknesses within embedded routers – the hard coded SSH host keys. Not only does this make the router a poor choice in terms of security, the encryption key management weakness also exposes customers to man-in-the-middle attacks.
Encryption should provide robust and effective data security without impacting on network performance; it should not expose your network to greater levels of risk.
These vulnerabilities lend further weight to the best-practice view of network encryption security. Robust, standards-based encryption remains the most effective long-term security option. However, if badly implemented, it can render your encryption practices ineffective.
The use of routers and switches in any data network as security devices are simply ‘traps for the trusting’. They are not effective security devices, do not function to an accepted security standard and often adversely affect network performance at high bandwidth costs to customers.
So what lessons can be learned from the SEC Consult report’s findings? Well, in order to provide “high-assurance” security, network encryption solutions must:
Provide end-to-end encryption (embedded routers alone will not provide this)
Be separated from other network duties and not provide any points of entry
Feature state-of-the-art encryption key management, standards-based encryption and truly random number generation
With best-practice key management, neither the network vendor nor any third party service provider (e.g. Cloud) can access the encrypted keys. Encryption keys should reside within the customers’ controlled, secure environment.
The proliferation of data breaches over the past 5 years proves that there is no room for second best or good enough security. Organisations of all types and sizes (60% of data breaches are from SMEs) need to familiarise themselves with best-practice approaches to deliver high assurance network security.
Best-practice encryption solutions provide the critical last line of defence; ensuring that, when prevention tools (firewalls etc.) have been breached, your data remains safe.