Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

When To Encrypt At Layer 2 Or Layer 3

Layer 2--data link layer--encryption is a high-performance security option that offers some advantages over Layer 3--networking layer--encryption in some scenarios, particularly in unified communications environments that require low-latency, high-volume data transmission. The increased availability and popularity of high-speed carrier Ethernet services provide fast, relatively cheap transmission, particularly for voice, video and other latency sensitive traffic. Enterprises can leverage more traditional Layer 3 IPSec encryption utilizing high-speed switching technology and fast pipes. Or, they can look at Layer 2 encryption technology, which is faster and simple to manage, for appropriate situations.

"If you are looking to aggregate a whole bunch of traffic across a metro Ethernet network on a very high speed link, that's where Layer 2 really shines," said Scott Fanning, senior engineering manager for IOS security at Cisco Systems. "If you are looking at IPSec, you're looking at a much more granular policy, per device or per user policy. You pick the use case appropriately--they're complementary, certainly not competing technologies."

Because it operates below the network layer, Layer 2 encryption is protocol agnostic and is very attractive for high-speed data transmission between data centers. It simply "encrypts everything" and sharply reduces the overhead required by IPSec by as much as 40 percent of available bandwidth. "We encrypt everything that goes across out links; it's just easier to say, if it goes out of our premise, it's encrypted," said the network manager for a regional health care provider, who encrypts traffic largely to meet HIPAA and Medicare requirements.

However, as the provider moved up to gigabit traffic transmission, traffic increased dramatically as users took advantage of the increased capability. VoIP, in particular, has grown from one percent to 10 percent of bandwidth use, but accounts for a quarter of the packet total, placing a heavy burden on processing. "We saw CPU utilization on our routers that were doing encryption jump up dramatically," he said of the VoIP demands. He implemented Layer 2 encryption using SafeNet encryptors, which addressed the performance and latency issues and offloaded encryption from his routers. The company uses Layer 3 encryption for lower bandwidth environments, as well as data transmission to other companies that may not be in a position to support Layer 2.

Layer 2 encryption is a "hop-by-hop" technology, rather than an end-to-end approach used by IPSec. This can be a limiting factor, but also allows organizations that want to inspect traffic to look at network telemetry information provided by Netflow, for example, between points, because the traffic is in the clear within the device.  The encryption devices on the end of each "hop" must not only support Layer 2 but must be directly connected or appear to be directly connected. For example, a Layer 2 transmission could take place across an MPLS network, which would make the intervening network transparent to the encryption devices.

Page:  1 | 23  | Next Page »

Related Reading

More Insights

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

WAN Security Reports

Research and Reports

Network Computing: April 2013

TechWeb Careers