Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

When To Encrypt At Layer 2 Or Layer 3: Page 3 of 3

Another benefit of that simplicity is that Layer 2 does not require sharing routing information with service providers, which may appeal to organizations whose policies prohibit releasing this kind of information. From a security perspective, both Layer 2 and Layer 3 provide the necessary protection against attackers that tap into traffic by snooping on the access link, by, for instance, placing a hub somewhere along the link.  Even fiber optic cable, thought by many to be inaccessible, can be tapped using relatively inexpensive equipment that can take advantage of light leakage. Layer 2's performance and low latency may make it the encryption of choice in this kind of environment.

Layer 2 encryption protects against all forms of man-in-the middle attacks; 802.1ae/8092.1XREV ties user authentication to the MACsec session, allowing only MACsec packets between devices. Nothing in the middle can get in, which is why, as Cisco's Weis explained, Layer 2 encryption is used for WPA2 wireless security.

The passage of the standards and compatible products, and the options for integrated network implementation or purpose-built products make Layer 2 encryption a viable option for scenarios such as high-speed data transmission for multimedia traffic, links between telecommunications centers and rapid disaster recovery. The choice of Layer 2 or 3 is highly dependent on the use case.

There are different places where each fits," said Darren Miller, Cisco distinguished engineer, security systems unit. "In a WAN environment, for example, if you need security for branch offices with lots of any to any communications, that's IPSec all the way. A secure link between buildings, Layer 2 would probably be more cost-effective and easier with MACsec because of the form factor of encryption."