Embracing Encryption

Multiple technology methods implemented to meet standards

• By Rod Starrett
• Jan 23, 2007

DUE to the ever-increasing number of data breaches, all network traffic, whether inside the corporate LAN, across the WAN or over the Internet, can't be trusted. To address the problem, many organizations are focusing on appliance-based endpoint security or identity management solutions to separately create trusted endpoints users. While this might work temporarily, there is a stronger security solution for continuous data protection.

Using policies, keys and enforcement, a three-layer network security architecture is built, allowing administrators to scale and manage encryption wherever data travels.

A Compliance-Grade^TM Safe Passage^TM network architecture creates a trusted network, where encryption hides sensitive data and authenticates each packet going into a trusted endpoint, rejecting all unauthorized connections. Using policies, keys and enforcement, a three-layer network security architecture is built, allowing administrators to scale and manage encryption wherever data travels.

Current encryption solutions do not scale to support the global problem of applying data protection at all endpoints. New technology is required to provide a viable answer. Organizations must implement a model to leverage a common policy definition platform, separating key management capabilities to provide a broader application of encryption technology.

In some ways, large organizations are already preparing for the demands of untrusted networks by integrating security into networks. These organizations are using firewalls and IDS/IPS technology to inspect traffic, search for malware and permit or deny access to intellectual property. Much more is needed. Traffic must be secured as it moves throughout the network.

When looking at network security technology, consider:

• VLAN technology separates users into communities of interest, but in no way offers confidentiality, data integrity and source authentication of traffic flowing within the VLAN.
  
  
• MPLS services separate customers sharing the network, but do not provide confidentiality for data in transit. Any recipient of data traffic, either due to a misconfiguration or criminal intent, may access the sensitive data from customers.
  
  
• Securing multicast traffic is difficult at best and, in large implementations, it isn?t operationally feasible. Imagine corporate updates, future roadmap presentations or field training being broadcasted over a shared IP network. Ensuring confidentiality of the traffic is a problem.
  
  
• Large, secure mesh networks are operationally impossible to administer. The administration of security policies for mesh networks is a real nightmare, with policy numbers quickly rising to the thousands if not tens of thousands.

There are a number of encryption solutions deployed today to solve portions of the problems. There are, for example, application-level encryption tools -- SSL VPNs, IPSec VPNs, Layer 2 encryption (IEEE 802.1ae), file transfer encryption tools, telnet encryption and e-mail encryption tools. These diverse technologies do provide solutions for pieces of the security requirement. Yet encryption tools are complex, too granular in capabilities and almost impossible to manage. The market today needs a solution that provides a broad scope in the applications it secures, satisfies the necessary regulations and reduces the management and operational overhead caused by other solutions.

Protecting Data in Motion
Four primary data protection technologies are currently deployed to provide portions of the available security solution. The technologies are application encryption, SSL VPNs, IPSec VPNs, link-layer encryption. These approaches are very different in implementation and provide varying advantages and disadvantages.

One major distinction between the implementations is the location in the application stack where the technology is applied. While looking at the application stack, the application layer provides end-user application and data access. These applications may be e-mail, telnet, FTP and any other user applications (banking, engineering, etc.) The transport layer sets up end-to-end connectivity, providing both connectionless and connection-oriented protocols. TCP is a connection-oriented transport protocol that provides reliable packet delivery, error recovery and packet reordering capabilities. The network layer is responsible for delivering the packet to a communicating peer in the network. It uses routing functions to transmit the packet across a network or the Internet. The link layer is responsible for packet delivery across a specific link, Ethernet segment, SONET segment and frame relay.

Application Encryption
For application encryption, specific applications provide the encryption endpoints securing traffic. E-mail is one example that currently uses encryption technology. End-to-end encryption tunnels are built from e-mail clients to servers. The endpoints negotiate security parameters, authenticate each other and exchange keying material. Traffic flows in a secure manner.

Database applications also are employing encryption to secure traffic on the disk or to secure specific data fields in a database. These technologies require encryption key storage and archiving while offering the capacity to secure traffic at rest. But the method still may be open to attacks when data is in motion.

Specificity enables application encryption to be very granular in its implementation, securing specific data fields, e-mail addresses or any sensitive data. This has some real advantages if the security need is application specific such as a company that only needs to encrypt a CEO's e-mail or one Social Security number on a database. There are some real tradeoffs. As the use of encryption technology grows, specificity of application encryption becomes impossible to administer and implement on a large scale. So, if e-mail security is all that is required, then the technology is a great solution. With regulations driving the use of encryption on a large scale, applying application encryption to all applications is a huge obstacle to overcome.

TLS/SSL
If it is difficult to encrypt data in motion for all applications, is there a subset of applications that use a common communications platform so encryption technology can be applied in a more general way? Enter transport layer security/secure sockets (TLS/SSL).

TLS/SSL is implemented between the application and the transport layer. Using TCP for reliable delivery, TLS/SSL primarily secures Web-based applications, although any TCP application can be secured.

TLS/SSL has wide acceptance for protecting Web-based applications. Since most Internet browsers contain SSL endpoints, there is no need to distribute security clients.

As the use of SSL continues to grow, there is a need to expand its use to broader applications. Some vendors have developed SSL gateways that are basically conversion tools to convert a browser-based session to another application. In order to expand the use to other applications, SSL VPN providers are delivering client software that converts SSL to operate at the IP/network layer. This enables security for a broader set of applications -- especially important for non-TCP-based applications such as UDP-based VoIP.

However, with its placement above the transport layer, TLS/SSL requires either all applications to be Web enabled (either through protocol conversion or application change) or clients to be loaded on each end station. Web enabled all applications can be costly. In addition, SSL technology is designed for end-client security. Many of today's needs are from remote branch to data center, data center to remote backup facility, secure communication over MPLS or Metro Ethernet. As the need to protect all data grows, protecting traffic requires a more global approach to security and cannot be solved by client-to-server, browser-based encryption solutions.

IPSec
IPsec is a standard defined to secure selected traffic over an IP network. The stack placement enables IPsec to secure all IP traffic, Web, non-Web, VoIP, FTP or Telnet. IPsec is well understood and provides for confidentiality (encryption), source authentication, data integrity and anti-replay. Today, IPsec is used for remote client access and site-to-site communication.

IPSec has advantages compared to other approaches. It can be implemented on the client, gateway appliance or router. As a gateway, IPSec can be used to secure many clients with a single policy and a single set of encryption keys. Users can be grouped by IP addresses or transport-layer port numbers, enabling security on a specific IP stream or specific application without any workstation impact or change. IPSec can secure all IP traffic, whether it is FTP, Telnet, IPTV or VoIP,and it enables a full set of security services and functions as a stateless firewall enabling or denying access to secure resources.

IPsec also has disadvantages. Network-wide IPsec implementations tend to be complex to configure and manage, and IPsec requires client software for remote access environments.

Link-Layer Encryption
Link-layer encryption is applied to protect specific network segments. These segments can be frame relay DLCIs, DWDM wavelengths or Ethernet segments. Link-layer encryption secures all traffic and can be used in cases where traffic is not IP.

The advantages of link-layer encryption are based on implementation ease. Everything is encrypted between two endpoints and usually no security policy definition is required. Link-layer encryption is for point-to-point applications with no IP ornetwork layer.

But there are problems with link-layer encryption. Over IP networks, to implement link-layer encryption, encryptors are required between each network-layer device. A new draft standard, IEEE 802.1AE is defined to implement link-layer encryption between communicating devices over any link segment. In this approach, each link segment encrypts and decrypts traffic using separate keys for each secure link operation.

The Solution
As regulations push enterprises to rethink security strategy and securing traffic in motion becomes a requirement, multiple encryption methods will be implemented to satisfy specific encryption standards. However, a new model is necessary to implement and manage a cohesive security strategy.

First and foremost, security policies must be consolidated to one entity. Today, security policy is split between all technologies providing security services: firewalls, IDS/IPS, data protection and identity management. For data protection, common security policy should be in place to implement encryption, whether application, SSL or IPSec. A common policy platform enables a global set of rules such as resource entitlement (access based on groups of users, applications or devices and implementation specifics).

Secondly, for data protection, key negotiation and exchange cannot limit network or application services. Encryption implementation requires two endpoints to authenticate each other and exchange keying material. This sets up point-to-point communication tunnel endpoints. As the need for data protection implementation grows, the scalability of the approach is questionable. Imagine point-to-point tunnels to hundreds, if not thousands, of end points. Point-to-point key management is difficult at best and impossible in mesh networks tying together thousands of end users.

The security model must separate key management from endpoint devices. Key management should leverage policy rules to enable grouping of endpoints, storing and archiving keys; generate and distribute keys to endpoints; and provide the security policy interface to endpoints.

Third, users need to start looking at security endpoints as any device or application (PDA, cell phone, software, router or switch). As users move to a security model where all endpoints are security enforcement points, the model needs to accommodate any type of device or software and reduce complexity as much as possible.

The model leverages a common policy of separate encryption key management, improving data protection. New technologies and improved enterprise data protection architecture are necessary to provide the protection mode.