Embracing Encryption

Multiple technology methods implemented to meet standards

DUE to the ever-increasing number of data breaches, all network traffic, whether inside the corporate LAN, across the WAN or over the Internet, can't be trusted. To address the problem, many organizations are focusing on appliance-based endpoint security or identity management solutions to separately create trusted endpoints users. While this might work temporarily, there is a stronger security solution for continuous data protection.

Using policies, keys and enforcement, a three-layer network security architecture is built, allowing administrators to scale and manage encryption wherever data travels.

A Compliance-GradeTM Safe PassageTM network architecture creates a trusted network, where encryption hides sensitive data and authenticates each packet going into a trusted endpoint, rejecting all unauthorized connections. Using policies, keys and enforcement, a three-layer network security architecture is built, allowing administrators to scale and manage encryption wherever data travels.

Current encryption solutions do not scale to support the global problem of applying data protection at all endpoints. New technology is required to provide a viable answer. Organizations must implement a model to leverage a common policy definition platform, separating key management capabilities to provide a broader application of encryption technology.

In some ways, large organizations are already preparing for the demands of untrusted networks by integrating security into networks. These organizations are using firewalls and IDS/IPS technology to inspect traffic, search for malware and permit or deny access to intellectual property. Much more is needed. Traffic must be secured as it moves throughout the network.

When looking at network security technology, consider:

  • VLAN technology separates users into communities of interest, but in no way offers confidentiality, data integrity and source authentication of traffic flowing within the VLAN.

  • MPLS services separate customers sharing the network, but do not provide confidentiality for data in transit. Any recipient of data traffic, either due to a misconfiguration or criminal intent, may access the sensitive data from customers.

  • Securing multicast traffic is difficult at best and, in large implementations, it isn?t operationally feasible. Imagine corporate updates, future roadmap presentations or field training being broadcasted over a shared IP network. Ensuring confidentiality of the traffic is a problem.

  • Large, secure mesh networks are operationally impossible to administer. The administration of security policies for mesh networks is a real nightmare, with policy numbers quickly rising to the thousands if not tens of thousands.

There are a number of encryption solutions deployed today to solve portions of the problems. There are, for example, application-level encryption tools -- SSL VPNs, IPSec VPNs, Layer 2 encryption (IEEE 802.1ae), file transfer encryption tools, telnet encryption and e-mail encryption tools. These diverse technologies do provide solutions for pieces of the security requirement. Yet encryption tools are complex, too granular in capabilities and almost impossible to manage. The market today needs a solution that provides a broad scope in the applications it secures, satisfies the necessary regulations and reduces the management and operational overhead caused by other solutions.

Protecting Data in Motion
Four primary data protection technologies are currently deployed to provide portions of the available security solution. The technologies are application encryption, SSL VPNs, IPSec VPNs, link-layer encryption. These approaches are very different in implementation and provide varying advantages and disadvantages.

One major distinction between the implementations is the location in the application stack where the technology is applied. While looking at the application stack, the application layer provides end-user application and data access. These applications may be e-mail, telnet, FTP and any other user applications (banking, engineering, etc.) The transport layer sets up end-to-end connectivity, providing both connectionless and connection-oriented protocols. TCP is a connection-oriented transport protocol that provides reliable packet delivery, error recovery and packet reordering capabilities. The network layer is responsible for delivering the packet to a communicating peer in the network. It uses routing functions to transmit the packet across a network or the Internet. The link layer is responsible for packet delivery across a specific link, Ethernet segment, SONET segment and frame relay.

Application Encryption
For application encryption, specific applications provide the encryption endpoints securing traffic. E-mail is one example that currently uses encryption technology. End-to-end encryption tunnels are built from e-mail clients to servers. The endpoints negotiate security parameters, authenticate each other and exchange keying material. Traffic flows in a secure manner.

Database applications also are employing encryption to secure traffic on the disk or to secure specific data fields in a database. These technologies require encryption key storage and archiving while offering the capacity to secure traffic at rest. But the method still may be open to attacks when data is in motion.

Specificity enables application encryption to be very granular in its implementation, securing specific data fields, e-mail addresses or any sensitive data. This has some real advantages if the security need is application specific such as a company that only needs to encrypt a CEO's e-mail or one Social Security number on a database. There are some real tradeoffs. As the use of encryption technology grows, specificity of application encryption becomes impossible to administer and implement on a large scale. So, if e-mail security is all that is required, then the technology is a great solution. With regulations driving the use of encryption on a large scale, applying application encryption to all applications is a huge obstacle to overcome.

TLS/SSL
If it is difficult to encrypt data in motion for all applications, is there a subset of applications that use a common communications platform so encryption technology can be applied in a more general way? Enter transport layer security/secure sockets (TLS/SSL).

TLS/SSL is implemented between the application and the transport layer. Using TCP for reliable delivery, TLS/SSL primarily secures Web-based applications, although any TCP application can be secured.

TLS/SSL has wide acceptance for protecting Web-based applications. Since most Internet browsers contain SSL endpoints, there is no need to distribute security clients.

As the use of SSL continues to grow, there is a need to expand its use to broader applications. Some vendors have developed SSL gateways that are basically conversion tools to convert a browser-based session to another application. In order to expand the use to other applications, SSL VPN providers are delivering client software that converts SSL to operate at the IP/network layer. This enables security for a broader set of applications -- especially important for non-TCP-based applications such as UDP-based VoIP.

However, with its placement above the transport layer, TLS/SSL requires either all applications to be Web enabled (either through protocol conversion or application change) or clients to be loaded on each end station. Web enabled all applications can be costly. In addition, SSL technology is designed for end-client security. Many of today's needs are from remote branch to data center, data center to remote backup facility, secure communication over MPLS or Metro Ethernet. As the need to protect all data grows, protecting traffic requires a more global approach to security and cannot be solved by client-to-server, browser-based encryption solutions.

IPSec
IPsec is a standard defined to secure selected traffic over an IP network. The stack placement enables IPsec to secure all IP traffic, Web, non-Web, VoIP, FTP or Telnet. IPsec is well understood and provides for confidentiality (encryption), source authentication, data integrity and anti-replay. Today, IPsec is used for remote client access and site-to-site communication.

IPSec has advantages compared to other approaches. It can be implemented on the client, gateway appliance or router. As a gateway, IPSec can be used to secure many clients with a single policy and a single set of encryption keys. Users can be grouped by IP addresses or transport-layer port numbers, enabling security on a specific IP stream or specific application without any workstation impact or change. IPSec can secure all IP traffic, whether it is FTP, Telnet, IPTV or VoIP,and it enables a full set of security services and functions as a stateless firewall enabling or denying access to secure resources.

IPsec also has disadvantages. Network-wide IPsec implementations tend to be complex to configure and manage, and IPsec requires client software for remote access environments.

Link-Layer Encryption
Link-layer encryption is applied to protect specific network segments. These segments can be frame relay DLCIs, DWDM wavelengths or Ethernet segments. Link-layer encryption secures all traffic and can be used in cases where traffic is not IP.

The advantages of link-layer encryption are based on implementation ease. Everything is encrypted between two endpoints and usually no security policy definition is required. Link-layer encryption is for point-to-point applications with no IP ornetwork layer.

But there are problems with link-layer encryption. Over IP networks, to implement link-layer encryption, encryptors are required between each network-layer device. A new draft standard, IEEE 802.1AE is defined to implement link-layer encryption between communicating devices over any link segment. In this approach, each link segment encrypts and decrypts traffic using separate keys for each secure link operation.

The Solution
As regulations push enterprises to rethink security strategy and securing traffic in motion becomes a requirement, multiple encryption methods will be implemented to satisfy specific encryption standards. However, a new model is necessary to implement and manage a cohesive security strategy.

First and foremost, security policies must be consolidated to one entity. Today, security policy is split between all technologies providing security services: firewalls, IDS/IPS, data protection and identity management. For data protection, common security policy should be in place to implement encryption, whether application, SSL or IPSec. A common policy platform enables a global set of rules such as resource entitlement (access based on groups of users, applications or devices and implementation specifics).

Secondly, for data protection, key negotiation and exchange cannot limit network or application services. Encryption implementation requires two endpoints to authenticate each other and exchange keying material. This sets up point-to-point communication tunnel endpoints. As the need for data protection implementation grows, the scalability of the approach is questionable. Imagine point-to-point tunnels to hundreds, if not thousands, of end points. Point-to-point key management is difficult at best and impossible in mesh networks tying together thousands of end users.

The security model must separate key management from endpoint devices. Key management should leverage policy rules to enable grouping of endpoints, storing and archiving keys; generate and distribute keys to endpoints; and provide the security policy interface to endpoints.

Third, users need to start looking at security endpoints as any device or application (PDA, cell phone, software, router or switch). As users move to a security model where all endpoints are security enforcement points, the model needs to accommodate any type of device or software and reduce complexity as much as possible.

The model leverages a common policy of separate encryption key management, improving data protection. New technologies and improved enterprise data protection architecture are necessary to provide the protection mode.

This article originally appeared in the January 2007 issue of Security Products, pgs. 48-50.
 
 

Featured

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

Featured Cybersecurity

Webinars

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3