Andrew Lance | Founder and CEO, Sidechain Security
Today, the big buzz words in government high speed network security are “100Gbps” and “ESS” (Ethernet Security Specification). With the realization that IPsec and HAIPE are just not efficient at high speeds, and as government inquiries for 100Gbps Ethernet Encryption Devices (EEDs) increase, chatter among vendors and integrators alike has grown exponentially. Although EEDs have been around for many, many years, they are only now gaining widespread visibility and scrutiny. Speed and bandwidth are merely natural progressions of technology whereas data in motion security as a solution requires experience and techniques that solve the bigger problem…high levels of security at high levels of performance.
Speed
Newcomers to the Layer 2 Ethernet Encryption market are consumed by the notion of “The Need For Speed”. Quick to develop solutions that merely meet the specification of a 100Gbps speed requirement, these vendors can quickly lose sight of the ultimate goal which is to provision security.
With the main focus turned to speed, hardware is developed first and specifications such as ESS and Macsec are shoe-horned into the hardware later. One might say that the cart has been placed before the horse. Hardly a best practices approach from a network encryption perspective but certainly a good approach if speed is your primary concern. What good is a 240 MPH race car if the wheels fall off at 50 MPH? What good is a race car if you are driving it in downtown Manhattan traffic? And what good is a race car if the driver has little to no experience? Building a device that goes fast is much easier than delivering a solution that meets all of the requirements needed to win the race.
Security Technique
For a moment, let’s take speed out of the equation. Instead, let’s look at the end goal which is network security for data in motion. Several important security functions need to be provided. This includes a best practices key lifecycle management implementation (the most important factor) and encryption techniques that meet today’s commercial and government standards. Although these two factors can protect data, they are still a small part of a total data in motion security solution. Security of data in motion additionally requires a host of capabilities such as a packet counter mode to ensure data integrity. Also important are the size of the counter for scaleability, Traffic Flow Security to mask patterns, secure in-band and out-of-band management capabilities, key distribution controls and methods, certificate generation, hardware tampering controls, and automated key zeroing techniques just to name a few. To state the obvious, speed is easy, security technique is not.
Speed vs. Security Technique
If speed is easy, then one should deduce that an existing solution with the best security techniques should be used as a basis for determining a roadmap to higher speeds moving forward. With the horse rightly placed before the cart, a progression to speed is difficult, but logical. Difficulties exist in the time-critical nature of securing traffic at such high speeds. Considerations such as packet size can have exponential effects on latency and performance at capacities of 10Gbps, let alone 100Gbps. Thales eSecurity’s Datacryptor, for example, can encrypt everything from small VoIP and video data packets to jumbo frames with less than 5µSec of latency at 10Gbps. No small feat considering the robust key management and security capabilities that the Datacryptor delivers. Will any single entity ever have a requirement for a single link operating at 100Gbps? The answer is yes. There are some entities that will require security for a single pipe operating at high capacity and high speed. But for the most part, and at least at the onset, the 100Gbps pipe will be divided into logical segments, making 100Gbps more of a capacity concern than a speed concern. Encryption solutions that can scale to meet these speed and capacity requirements will be the solutions of choice in the fledgling 100Gbps market. Thales eSecurity has been providing Datacryptor link and layer 2 network encryption solutions for roughly 30 years. During this time, Datacryptor products have progressed from speeds of less than 1Mbps to more than 10Gbps. During this progression, security has always been at the forefront of the hardware design. Speed and capacity will continue to drive requirements for new hardware solutions while experience and consistency in security technique will remain as the constants.