Networking

09:24 AM
Connect Directly
RSS
E-Mail
50%
50%

When To Encrypt At Layer 2 Or Layer 3

Layer 2--data link layer--encryption is a high-performance security option that offers some advantages over Layer 3--networking layer--encryption in some scenarios, particularly in unified communications environments that require low-latency, high-volume data transmission. The increased availability and popularity of high-speed carrier Ethernet services provide fast, relatively cheap transmission, particularly for voice, video and other latency sensitive traffic. Enterprises can leverage more tr

Layer 2 encryption of large-scale data transmission can be implemented in high-end network equipment, for example, between switch ports on Cisco's Nexus 7000 series10GbE switches  or between an endpoint device and an access switch, such as its Catalyst 3560-X and 3750-X series. These switches support the IEEE 802.1AE (MACsec) Layer 2 encryption protocol and the more recently adopted 802.1x REV, which automates 802.1AE authentication and key management requirements.   

"We've seen Layer 2 come in and out fashion," said Brian Weis, distinguished engineer, IOS security at Cisco. One of the challenges is that there wasn't a standard; every vendor did it their own way and you were forced because of that hop-by-hop paradigm, you had to stick with a single vendor. Now that there is a standard that's maturing, I think you will see more Layer 2 adoption because can go into multi-vendor environment."

Alternatively, organizations can purchase and deploy purpose-built Layer 2 encryptors from companies such as SafeNet, CiperOptics and Thales. The health care network manager, for example, decided that a network upgrade would be too expensive.  He could keep his existing routers while offloading encryption to the SafeNet appliances.

MACsec uses 128-bit AES encryption. So, situations that require 256-bit encryption, such as some military or other high-security environments, might lean to one of the dedicated Layer 2 products.

Management is another Layer 2 advantage--it's pretty a much a deploy and forget technology. They generally require only initial configuration. That reduces the risk of misconfiguration and related security risks. "Layer 2 policy is simple," said SafeNet product manager Davin Baker. "You eliminate the complexities of creating Layer 3 security policy, which is prone to misconfiguration. We've seen this in very large networks, which can get so complex in terms of policy that you take out sites by misconfiguration without knowing it."

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed