• 08/31/2010
    9:24 AM
  • Network Computing
  • News
  • Connect Directly
  • Rating: 
    0 votes
    Vote up!
    Vote down!

When To Encrypt At Layer 2 Or Layer 3

Layer 2--data link layer--encryption is a high-performance security option that offers some advantages over Layer 3--networking layer--encryption in some scenarios, particularly in unified communications environments that require low-latency, high-volume data transmission. The increased availability and popularity of high-speed carrier Ethernet services provide fast, relatively cheap transmission, particularly for voice, video and other latency sensitive traffic. Enterprises can leverage more tr

Layer 2 encryption of large-scale data transmission can be implemented in high-end network equipment, for example, between switch ports on Cisco's Nexus 7000 series10GbE switches  or between an endpoint device and an access switch, such as its Catalyst 3560-X and 3750-X series. These switches support the IEEE 802.1AE (MACsec) Layer 2 encryption protocol and the more recently adopted 802.1x REV, which automates 802.1AE authentication and key management requirements.   

"We've seen Layer 2 come in and out fashion," said Brian Weis, distinguished engineer, IOS security at Cisco. One of the challenges is that there wasn't a standard; every vendor did it their own way and you were forced because of that hop-by-hop paradigm, you had to stick with a single vendor. Now that there is a standard that's maturing, I think you will see more Layer 2 adoption because can go into multi-vendor environment."

Alternatively, organizations can purchase and deploy purpose-built Layer 2 encryptors from companies such as SafeNet, CiperOptics and Thales. The health care network manager, for example, decided that a network upgrade would be too expensive.  He could keep his existing routers while offloading encryption to the SafeNet appliances.

MACsec uses 128-bit AES encryption. So, situations that require 256-bit encryption, such as some military or other high-security environments, might lean to one of the dedicated Layer 2 products.

Management is another Layer 2 advantage--it's pretty a much a deploy and forget technology. They generally require only initial configuration. That reduces the risk of misconfiguration and related security risks. "Layer 2 policy is simple," said SafeNet product manager Davin Baker. "You eliminate the complexities of creating Layer 3 security policy, which is prone to misconfiguration. We've seen this in very large networks, which can get so complex in terms of policy that you take out sites by misconfiguration without knowing it."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments