In the near future, all network traffic, whether inside the corporate LAN, across the WAN, or over the Internet, won't be trusted. This means that all frames and packets must have their payloads inspected for malicious code and all traffic must be encrypted.
Current encryption solutions simply do not scale to support the global problem of applying data protection at all end points. New technologies are required to provide a viable answer. Organizations must implement a model to leverage a common policy definition platform, separating key management capabilities to provide a broader application of encryption technology.
In some ways, large organizations are already preparing for the demands of untrusted networks by integrating security into their networks. These organizations are using firewalls and IDS/IPS technologies to inspect traffic, searching for malware and permitting or denying access to intellectual property. Much more is needed. Traffic must be secured as it moves throughout the network.
Consider that:
- VLAN technology separates users into communities of interest, but in no way offers confidentiality, data integrity, and source authentication of traffic flowing within the VLAN.
- MPLS services separate customers sharing the network, but do not provide for confidentiality for data in transit. Any recipient of data traffic, either due to a misconfiguration or criminal intent, may access the sensitive data from customers.
- Securing multicast traffic is difficult at best, and in large implementations operationally not feasible. Imagine corporate updates, future roadmap presentations or field training being broadcasted over a shared IP network. Ensuring confidentiality of this traffic is a real problem.
- Large, secure mesh networks are operationally impossible to administer. The administration of security policies for large mesh networks is a real nightmare, with policy numbers quickly rising to the thousands if not tens of thousands.
There are a number of encryption solutions deployed today to solve portions of the problems. There are, for example, application level encryption tools, SSL VPNs, IPSec VPNs, Layer 2 encryption (IEEE 802.1ae), file transfer encryption tools, telnet encryption, e-mail encryption tools--the list goes on. These diverse technologies do indeed provide solutions for pieces of the security requirement. Yet, the encryption tools are complex, too granular in their capabilities, and almost impossible to manage. The market today needs a solution that provides a broad scope in the applications it secures, satisfies the necessary regulations and, reduces the management and operational overhead caused by the other "solutions."
Protecting data in motion
Four primary data protection technologies are currently deployed to provide portions of the available security solution. They are:
- Application Encryption
- SSL VPNs
- IPSec VPNs
- Link Layer Encryption
These approaches are very different in their implementation and provide varying advantages and disadvantages to the enterprise.
One major distinction between these implementations is the location in the application stack where the technologies are applied. Looking at the application stack:
The application layer provides end-user application and data access. These applications may be e-mail, telnet, FTP, and any other user applications (banking, engineering, etc.) The transport layer sets up end-to-end connectivity, providing both connectionless and connection-oriented protocols. TCP is a connection-oriented transport protocol that provides reliable packet delivery, error recovery, and packet reordering capabilities. The network layer is responsible for delivering the packet to a communicating peer in the network. It uses routing functions to transmit the packet across a network or the Internet. The link layer is responsible for packet delivery across a specific link, Ethernet segment, SONET segment, Frame Relay, etc.
Application encryption
For application encryption, specific applications provide the encryption end points securing traffic. E-mail is one application example that uses encryption technology today. End-to-end encryption tunnels are built from e-mail clients to e-mail servers. The end points negotiate security parameters, authenticate each other and exchange keying material. Traffic flows in a secure manner.
Database applications are also employing encryption to secure traffic on the disk or to secure specific data fields in a database. These technologies require encryption key storage and archival, offering the capacity to secure traffic at rest, but still may be open to attacks when data is in motion.
Specificity enables application encryption to be very granular in its implementation, securing specific data fields, e-mail addresses or any sensitive data. This has some real advantages if the security need is application specific such as a company that only needs to encrypt a CEO's e-mail or one Social Security number on a database. There are, however, some real tradeoffs. As the use of encryption technology grows, the specificity of application encryption becomes impossible to administer and implement on a large scale. So, if e-mail security is all that is required then this is a great solution. With regulations driving the use of encryption on a large scale, applying application encryption to all applications would be a huge obstacle to overcome.
TLS/SSL
So, if it is very difficult to encrypt data in motion for all applications, is there a subset of applications that use a common communications platform so that encryption technology can be applied in a more general way? Enter TLS/SSL.
Transport Layer Security (TLS)/Secure Sockets Layer (SSL) is implemented between the application layer and the transport layer. Using TCP for reliable delivery, TLS/SSL primarily secures Web-based applications, although any TCP application can be secured. Figure 2 shows the positioning of TLS/SSL.
