When To Encrypt At Layer 2 Or Layer 3

Layer 2--data link layer--encryption is a high-performance security option that offers some advantages over Layer 3--networking layer--encryption in some scenarios, particularly in unified communications environments that require low-latency, high-volume data transmission. The increased availability and popularity of high-speed carrier Ethernet services provide fast, relatively cheap transmission, particularly for voice, video and other latency sensitive traffic. Enterprises can leverage more traditional Layer 3 IPSec encryption utilizing high-speed switching technology and fast pipes. Or, they can look at Layer 2 encryption technology, which is faster and simple to manage, for appropriate situations.

"If you are looking to aggregate a whole bunch of traffic across a metro Ethernet network on a very high speed link, that's where Layer 2 really shines," said Scott Fanning, senior engineering manager for IOS security at Cisco Systems. "If you are looking at IPSec, you're looking at a much more granular policy, per device or per user policy. You pick the use case appropriately--they're complementary, certainly not competing technologies."

Because it operates below the network layer, Layer 2 encryption is protocol agnostic and is very attractive for high-speed data transmission between data centers. It simply "encrypts everything" and sharply reduces the overhead required by IPSec by as much as 40 percent of available bandwidth. "We encrypt everything that goes across out links; it's just easier to say, if it goes out of our premise, it's encrypted," said the network manager for a regional health care provider, who encrypts traffic largely to meet HIPAA and Medicare requirements.

However, as the provider moved up to gigabit traffic transmission, traffic increased dramatically as users took advantage of the increased capability. VoIP, in particular, has grown from one percent to 10 percent of bandwidth use, but accounts for a quarter of the packet total, placing a heavy burden on processing. "We saw CPU utilization on our routers that were doing encryption jump up dramatically," he said of the VoIP demands. He implemented Layer 2 encryption using SafeNet encryptors, which addressed the performance and latency issues and offloaded encryption from his routers. The company uses Layer 3 encryption for lower bandwidth environments, as well as data transmission to other companies that may not be in a position to support Layer 2.

Layer 2 encryption is a "hop-by-hop" technology, rather than an end-to-end approach used by IPSec. This can be a limiting factor, but also allows organizations that want to inspect traffic to look at network telemetry information provided by Netflow, for example, between points, because the traffic is in the clear within the device.  The encryption devices on the end of each "hop" must not only support Layer 2 but must be directly connected or appear to be directly connected. For example, a Layer 2 transmission could take place across an MPLS network, which would make the intervening network transparent to the encryption devices.Layer 2 encryption of large-scale data transmission can be implemented in high-end network equipment, for example, between switch ports on Cisco's Nexus 7000 series10GbE switches  or between an endpoint device and an access switch, such as its Catalyst 3560-X and 3750-X series. These switches support the IEEE 802.1AE (MACsec) Layer 2 encryption protocol and the more recently adopted 802.1x REV, which automates 802.1AE authentication and key management requirements.   

"We've seen Layer 2 come in and out fashion," said Brian Weis, distinguished engineer, IOS security at Cisco. One of the challenges is that there wasn't a standard; every vendor did it their own way and you were forced because of that hop-by-hop paradigm, you had to stick with a single vendor. Now that there is a standard that's maturing, I think you will see more Layer 2 adoption because can go into multi-vendor environment."

Alternatively, organizations can purchase and deploy purpose-built Layer 2 encryptors from companies such as SafeNet, CiperOptics and Thales. The health care network manager, for example, decided that a network upgrade would be too expensive.  He could keep his existing routers while offloading encryption to the SafeNet appliances.

MACsec uses 128-bit AES encryption. So, situations that require 256-bit encryption, such as some military or other high-security environments, might lean to one of the dedicated Layer 2 products.

Management is another Layer 2 advantage--it's pretty a much a deploy and forget technology. They generally require only initial configuration. That reduces the risk of misconfiguration and related security risks. "Layer 2 policy is simple," said SafeNet product manager Davin Baker. "You eliminate the complexities of creating Layer 3 security policy, which is prone to misconfiguration. We've seen this in very large networks, which can get so complex in terms of policy that you take out sites by misconfiguration without knowing it."Another benefit of that simplicity is that Layer 2 does not require sharing routing information with service providers, which may appeal to organizations whose policies prohibit releasing this kind of information. From a security perspective, both Layer 2 and Layer 3 provide the necessary protection against attackers that tap into traffic by snooping on the access link, by, for instance, placing a hub somewhere along the link.  Even fiber optic cable, thought by many to be inaccessible, can be tapped using relatively inexpensive equipment that can take advantage of light leakage. Layer 2's performance and low latency may make it the encryption of choice in this kind of environment.

Layer 2 encryption protects against all forms of man-in-the middle attacks; 802.1ae/8092.1XREV ties user authentication to the MACsec session, allowing only MACsec packets between devices. Nothing in the middle can get in, which is why, as Cisco's Weis explained, Layer 2 encryption is used for WPA2 wireless security.

The passage of the standards and compatible products, and the options for integrated network implementation or purpose-built products make Layer 2 encryption a viable option for scenarios such as high-speed data transmission for multimedia traffic, links between telecommunications centers and rapid disaster recovery. The choice of Layer 2 or 3 is highly dependent on the use case.

There are different places where each fits," said Darren Miller, Cisco distinguished engineer, security systems unit. "In a WAN environment, for example, if you need security for branch offices with lots of any to any communications, that's IPSec all the way. A secure link between buildings, Layer 2 would probably be more cost-effective and easier with MACsec because of the form factor of encryption."