There has been a heightened interest in encryption over recent months, largely thanks to the Edward Snowden leaks showing US and British intelligence agencies were pouring their funds into cracking popular kinds of protection.
Much of the talk has focused on standards approved by the US National Institute of Standards and Technology (Nist), especially the much-derided Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Secure Sockets Layer (SSL) protections have also faced scrutiny, with an OpenSSL flaw causing something of a panic among security professionals.
Yet enabling certain kinds of encryption across different points of the network, rather than focusing solely on applications, can provide significant protection from the most advanced of attackers. But many still aren’t doing this, says Peter Wood, chief executive officer of security consultancy First Base Technologies.
“There’s no question that transmitting information in plain text remains a significant vulnerability in most organisations. As ethical hackers, we often start our client engagements by examining network data and discovering significant information from a simple packet-sniffing exercise,” says Wood.
Transmitting information in plain text remains a significant vulnerability in most organisations
Peter Wood, First Base Technologies
“Providing layer 2 encryption at the switch and router would make our activities a lot harder, and thus also the criminal’s life in a real-world attack. Everyone is used to the idea of SSL for web-based transactions, but little thought is given to encrypting internal traffic or indeed to other types of traffic on the internet.”
Encrypting network traffic
Encryption of network traffic by a gateway device is seen by many, including Cisco, to be the best way to ensure protection of communications between local networks. Using a gateway means enterprise traffic will be encrypted regardless of protocol and should bring reduced complexity.
Network-based encryption and application-layer encryption are not mutually exclusive either. They can, and often are, used together to apply two layers of encryption to data traffic.
Read more about network encryption
IPsec, otherwise known as Internet Protocol Security, includes a set of cryptographic services to protect communications, encrypting each IP packet going between network systems, whether that’s the router or the client. These services include Authentication Header (AH), which covers authentication, and Encapsulating Security Payload (ESP), which covers both authentication and encryption.
IT chiefs can turn on a variety of features to boost their IPsec deployment too, including perfect forward secrecy, which will stop attackers getting at protected information if they have broken just one of the two keys involved in a handshake between two parties.
MACsec (Media Access Control Security) covers communication for all traffic on Ethernet links. It sees keys exchanged and verified between interfaces at each end of a point-to-point Ethernet connection. It does data integrity checks too, by checking appended 8-byte headers and 16-byte tails that are added to packets between points. Traffic is dropped if anything irregular has happened to those headers and tails.
It can be useful for identifying a range of security threats, including denial of service (DoS) and man-in-the-middle (MITM) attacks. MACsec is particularly useful for those Ethernet segments where data passes through an untrusted location, such as a public space between two buildings. MACsec runs at the native Ethernet line rate, at speeds up to 100gbps, according to Cisco, and switches achieve this performance through in-line encryption hardware.
MacSec is now standardised as part of the Institute of Electrical and Electronics Engineers (IEEE) 802.1AE release. Similarly, a suite of protocols has been standardised for IPsec as part of several Internet Engineering Task Force (IETF) releases. This means IT chiefs can enjoy cross-compatibility across their infrastructure, as long as suppliers have enabled the standards on their machines, which many have.
Read more about network security
Doing both IPsec and MACsec at the same time brings various benefits, according to Nick Williams, senior product manager at networking firm Brocade.
“Network-level encryption is not new, but now, thanks to concurrent advances in both encryption and semiconductor technologies, it is possible to encrypt at high performance, at scale and at a dramatically lower cost. This gives administrators a powerful tool to protect against violations in data security during data-in-flight transfers,” says Williams.
“A combination of IPsec and MACsec is often the ideal solution. IPsec provides encryption for data cloaking on networks that are vulnerable to snooping, ensuring information integrity when transiting on infrastructure not owned by your organisation.
“Meanwhile, MACsec encryption and visibility on your own network provide great flexibility, securing against denial-of-service attacks, identifying malevolent users within the network and applying policy for specific application requirements.”
Implementing both may bring certain latency problems, however. As IPsec encapsulates the traffic, with a form of information hiding, there might be some network performance impact and some routing issues, says Gartner research director Jeremy D'Hoinne. Yet most network firewalls have mature capabilities to deal with this, he adds.
Encryption strategy is weighted by a compromise between the need for confidentiality and the performance impact
Jeremy D'Hoinne, Gartner
“IPsec on an endpoint like a laptop is more complicated, however,” says D'Hoinne. “Organisations need to solve additional challenges, like sharing and updated secrets (pre-shared keys or certificates), with endpoints that can’t be reached all the time. Also, organisations need to be able to repudiate access from remote endpoints which have been compromised.
“Encryption strategy is weighted by a compromise between the need for confidentiality and the performance impact.”
If the business has overcome such issues and turned on encryption across their network layers, there’s little excuse to not ensure other business data is protected with similar tools.
“Of course data in transit is not the only issue. Organisations also need to invest in encryption at rest for their most sensitive and valuable information, both inside the business and in the cloud,” adds First Base Technologies' Wood. “Once this has also been addressed, the attack surface for most businesses will be reduced significantly.”
This was first published in April 2014