Ethernet's New Security Layer

Ethernet has been steadily extending its influence as it continues to evolve beyond the local area network. The ongoing development of virtual local area network, or VLAN, standards, is paving the way for Ethernet to play a key role in next-generation networking.

As networks expand, so do opportunities to exploit them. Ethernet offers the means to strongly encrypt network traffic right down through a data or message packet's contents.

In the Army Now

The ability to apply the Advanced Encryption Standard (AES) across every data packet traversing a network is a powerful attraction of Layer 2 data encryption, particularly as stringent information security standards have now been mandated by a variety of legislative actions, including the EU Data Protection Directive, Sarbanes-Oxley, California Database Security Breach Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and the Federal Information Security Management Act, noted Andy Solterbeck, vice president of product management for SafeNet's commercial security division.

The U.S. Army is fulfilling both these needs with a Layer 2 encryption solution as part of its Infrastructure Modernization Program. Alcatel-Lucent (NYSE: ALU) subsidiary LGS Innovations, one of the program's contractors, chose Thales E-Security's SONET Datacryptors as one of the security solutions it will be offering to the Army for its modernization program.

Thales' network encryption products use the strongest commercially available cryptographic algorithm and allow customers to set security parameters such as the frequency of key exchanges, Juan Asenjo, Thales' Information Assurance Global Marketing Manager, told TechNewsWorld.

"The secure management application, Element Manager, can also seamlessly integrate with the customers' existing Simple Network Management Protocol management tools, enabling the customer to use existing system monitoring resources," he explained.

Low Impact

In addition to 256-bit data encryption, one of the biggest benefits of the latest generation of Layer 2 encryption standards is the low impact they have on network performance. "Due to the high volume of data that is carried over networks, even a small-scale attack can result in a significant amount of data loss," SafeNet's Solterbeck told TechNewsWorld.

Similar to other Layer 2 encryption products, SafeNet's SafeEnterprise Ethernet Encryptors are high-performance security appliances that protect 10 Mbps, 100 Mbps and Gigabit Ethernet networks that reside at the network edge and encrypt entire IP (Internet protocol) packets without the overhead of an additional IP header, he explained.

"Only encryption can protect data itself -- and while IPSec (Layer 3) is still very common due to its flexibility, the technology is an overhead burden on the network," Solterbeck continued. "IPSec encryption can create significant network bottlenecks, whereas Layer 2 encryption introduces virtually no latency or overhead to the network."

This makes SafeNet's enterprise line of Layer 2 encryption appliances well-suited for Metropolitan Ethernet or Ethernet WAN services, as well as remote backup, storage area network, data center, and business continuity/disaster recovery applications, according to Solterbeck.

It is not suitable for Layer 3 applications, such as remote access over public networks, he noted.

Ease of implementation and maintenance are two other significant attractions. "Due to the more static nature of Layer 2 connections, the implementation of these encryption devices is typically 'set and forget,'" Solterbeck said. "Layer 2 security separates security from the network, thereby reducing complexity, maintenance, management cost and operational expenses.

Media Independence

Aruba Networks offers a Layer 2 encryption solution that can be applied to both wired and wireless networks. OS xSec's biggest strength, according to Jon Green, Aruba's OS xSec product manager, is that it is "media independent."

"[OS xSec] does not bind itself to the actual network driver in the client device, but instead provides services above. That means it can run over wireless or wired networks equally well," he explained.

"In wireless networks, we have WPA2 (WiFi Protected Access) that works very well, but over wired networks we really have nothing. You can authenticate users with 802.1x, but there is no scheme there for encryption. xSec is really a repackaging of WPA2 and uses very similar techniques, but it works equally well over wired or wireless," Green maintained.

"Also, being an L2 protocol, you can use it to secure legacy wireless access points that cannot be upgraded to support WPA2. Just install the client software, put an Aruba controller somewhere in the network behind the old wireless APs (access points), and you have a secure network," he told TechNewsWorld.

Following the rules

Network operators are also making use of Layer 2 encryption solutions. AboveNet Communications has teamed up with CipherOptics to provide its customers -- primarily in the financial services, healthcare and government markets -- the CipherEngine compliance-grade security solution.

The product allows those customers to secure information traffic on a broad scale using Layer 2 encryption, and to be in compliance with government and industry regulations that require them to protect consumer information, according to CipherOptics.

Until recently, network encryption has either been at the physical link level or at the IP level, explained Scott Palmquist, CipherOptics' senior vice president of product management.

Link-level encryptors need to be installed in pairs on the same physical circuit, and IP encryptors have the limitation of protecting only IP traffic, he said.

CipherOptics' Ethernet encryptor, in contrast, "works at the Layer 2 Ethernet level and secures the entire data payload regardless of protocol type. But, unlike a link encryptor, we protect all topology types of Ethernet networks: point-to-point, switched and meshed. Because we do not force an additional IP header, we do not waste bandwidth at low packet sizes," Palmquist said.