Layer 2 encryption of large-scale data transmission can be implemented in high-end network equipment, for example, between switch ports on Cisco's Nexus 7000 series10GbE switches or between an endpoint device and an access switch, such as its Catalyst 3560-X and 3750-X series. These switches support the IEEE 802.1AE (MACsec) Layer 2 encryption protocol and the more recently adopted 802.1x REV, which automates 802.1AE authentication and key management requirements.
"We've seen Layer 2 come in and out fashion," said Brian Weis, distinguished engineer, IOS security at Cisco. One of the challenges is that there wasn't a standard; every vendor did it their own way and you were forced because of that hop-by-hop paradigm, you had to stick with a single vendor. Now that there is a standard that's maturing, I think you will see more Layer 2 adoption because can go into multi-vendor environment."
Alternatively, organizations can purchase and deploy purpose-built Layer 2 encryptors from companies such as SafeNet, CiperOptics and Thales. The health care network manager, for example, decided that a network upgrade would be too expensive. He could keep his existing routers while offloading encryption to the SafeNet appliances.
MACsec uses 128-bit AES encryption. So, situations that require 256-bit encryption, such as some military or other high-security environments, might lean to one of the dedicated Layer 2 products.
Management is another Layer 2 advantage--it's pretty a much a deploy and forget technology. They generally require only initial configuration. That reduces the risk of misconfiguration and related security risks. "Layer 2 policy is simple," said SafeNet product manager Davin Baker. "You eliminate the complexities of creating Layer 3 security policy, which is prone to misconfiguration. We've seen this in very large networks, which can get so complex in terms of policy that you take out sites by misconfiguration without knowing it."