Cisco Systems Chooses Net Optics Director xStream Pro™ and HD8™ Taps to Demonstrate MACsec Security Protocol

  • 170 views
Uploaded on

When Cisco needed to showcase their newest Borderless Network capabilities and demonstrate MACsec technology at work, they looked to Net Optics. Director xStream Pro generates live statistics from any …

When Cisco needed to showcase their newest Borderless Network capabilities and demonstrate MACsec technology at work, they looked to Net Optics. Director xStream Pro generates live statistics from any network segment even at ultra-high data volumes. And since downtime isn’t an option, they chose the HD8 Fiber Tap for its ability to deliver full-duplex monitoring of 10G networks without introducing a point of failure. http://www.netoptics.com

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
170
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Partner I Solution Brief Cisco Systems Chooses Net Optics Director xStream Pro™ and HD8™ Taps to Demonstrate MACsec Security Protocol When Cisco needed to showcase their newest Borderless Network capabilities and demonstrate MACsec technology at work, they looked to Net Optics. Director xStream Pro generates live statistics from any network segment even at ultra-high data volumes. Since downtime isn’t an option, they chose the HD8 Fiber Tap for its ability to deliver full-duplex monitoring of 10G networks without introducing a point of failure. What is MACsec? Vulnerability at the access edge is one of today’s most urgent security challenges. Now, in a convincing demonstration at the 2011 Cisco Live trade show, Cisco used its own switches, along with Net Optics’ Director xStream Pro and High-Density HD8 Fiber Taps, to show how its MACsec technology is vital to protecting data in motion by maintaining data encryption and integrity in the LAN. The demo contrasts the vulnerability of data traveling between network switches—both with and without MACsec. MACsec refers to the capability of encrypting data communications between a switch and any attached device—most importantly communication on wired LANs. MACsec (MAC for Media Access Control; sec for security) is the brainchild of the Institute of Electrical and Electronics Engineers (IEEE). Known as Security Standard 802.1AE, MACsec is the industry’s new best practice for ensuring data integrity when it comes to independent media access. MACsec is designed to be deployed in conjunction with traditional, higherlevel encryption protocols such as Secure Sockets Layer (SSL) and Secure Shell (SSH) to enhance security on LANs. Today, authentication alone cannot guarantee the safety of LAN data. Although physical security and end-user awareness remain important, many instances and locations (for example, remote offices and public access) demand greater LAN fortification. One of the promising answers is MAC Security, or MACsec—part of the Borderless Network Integrated Security Features providing superior layer 2 defense against man-in-the-middle attacks such as MAC, IP, and ARP spoofing. Net Optics Solutions Help Validate and Dramatize the Necessity of MACsec to Cisco Live Visitors How does MACsec bolster Borderless Network security? To show how its IOS MACsec software defends LAN data integrity, Cisco used its 6500 Switches, employing Cisco Protocol for MACsec-based wire-rate hopto-hop layer 2 encryption. MACsec’s layer 2 capabilities can identify and block most threats that come from behind the firewall (also known as insider threats). Also used in the demo are the Cisco Catalyst 3500 and Catalyst 4500 family of switches. By using Director xStream Pro, it is possible to demonstrate encryption compliance and validate the proper deployment. The 3500, which does not incorporate MACsec, enables contrasting of encrypted and unencrypted data— the main point of the demonstration. Used between LAN endpoints, MACsec enables each packet on the wire to be encrypted via symmetric key cryptography. As a result, communications cannot be monitored or altered anywhere on the wire; nor can anyone directly intercept traffic on the line that data travels on. MACsec is one of the most significant advances in network security, enabling confidentiality and identity-based access control at the network edge. Cisco Live Demo, Tapping Traffic Between Cisco Switches With and Without MACsec, Shows Its Dramatic Impact on Security Cisco 6500 Series Switch Cisco 6500 Series Switch W S-C 6 5 0 4- E Cisco 6500 Series Switch W S-C 6 5 0 4- E 1.7 in. W S-C 6 5 0 4- E 1.7 in. 1.7 in. Net Optics 10G Fiber Tap HD8 A B 1 2 A B 1 2 A B 1 2 A B 1 2 A B 1 2 A B 1 2 A CATALYST 3550 B 1 2 A B 1 2 Cisco 3500 Series Switch MACSec Encrypted Traffic Unencrypted Traffic Net Optics Director xStream Pro Cisco and Net Optics in Action at Cisco Live 2011 The diagram shows Cisco 6500 switches across the top, using MACsec technology to encrypt Layer 2 traffic between Cisco’s own devices. Initially, traffic is unencrypted, with Cisco then creating a tunnel to perform the encryption. The dashed lines represent encrypted traffic. The solid lines represent unencrypted traffic. This makes the point that without MACsec technology, this traffic remains unencrypted and vulnerable to intrusion and compromise.
  • 2. Cisco Systems Chooses Net Optics Director xStream Pro™ and HD8™ Taps to Demonstrate MACsec Security Protocol Partner I Solution Brief Cisco chose the compact Net Optics HD8 Fiber Tap for its ability to deliver full-duplex monitoring of 10 GigaBit networks with 100 percent traffic visibility, including layer 1 and 2 errors. Requiring no power, the Net Optics Tap integrates smoothly with Cisco products and maintains permanent access ports for monitoring tools without introducing a point of failure or interfering with network connections. “We chose their Director xStream Pro and The newest in Net Optics’ arsenal of security solutions, Director xStream Pro is a high-performance engine purpose-built for the demands of the 10G environment. Cisco needed Director xStream Pro’s ability to generate and make visible live statistics coming from the switches. Its ability to handle ultra-high data volumes was also important for purposes of the demo. LAN with MACSec—and without it,” says a HD8 Fiber Taps because we felt they would offer us the support needed to show the value of our newest MACsec technology: This is your Cisco Technical Marketing Engineer MACsec and Director xStream Pro Work Together as a Permanent Compliance Solution The ability of Director xStream Pro to capture, display, and document the encryption of LAN traffic is a major benefit to companies challenged with regulatory compliance. Director xStream Pro not only verifies that traffic is encrypted, it allows export of statistics into spreadsheets and other documentation—easing compliance verification for auditing purposes. In addition, Director xStream Pro alerts and exposes in real time any problems that might arise with MACsec encryption, allowing users to take instant action and protecting the value of the MACsec investment. MACsec Encrypted Data Stream Unencrypted Data Stream Net Optics Helps Cisco Put the Proof Before Viewers’ Eyes With MACsec-enabled devices, packets are encrypted on exiting the transmitting device and decrypted on entering the receiving device. They are “in the clear” only within the respective devices. Once the Net Optics HD8 Taps have passively gathered data on the connections, the demo sends data transmissions from the Taps to Director xStream Pro, which collects and displays it clearly in its user interface. Watching the encrypted traffic, viewers can see that traffic is there, but they cannot tell what type it is—whether it is Web traffic, VoIP, video, IPv4 or IPv6, PCP, TCP, UDP or ARP. This proves that the MACsec security function is working. Traffic emanating from the 3500 device, which lacks MACsec technology, clearly reveals its types and protocols—and even its payload contents if it is not using a higher-level encryption protocol such as SSL or SSH. The demo shows how MACsec software protects the network from inside—and Director xStream Pro can also reveal the payload. With encryption and decryption performed locally, it is easier to deploy IT insertion points for IDSs, anti-virus protection, load balancing and traffic management. MACsec’s strong encryption at layer 2 also supports data confidentiality, while integrity checking helps assure that no data modification takes place during transit. Summary Net Optics Taps and Director xStream Pro are helping Cisco offer irrefutable proof that the MACsec-enabled software in its switches helps secure a network from the inside on a hop-by-hop basis. MACsec also enables each hop to act as an IT insertion point for security purposes. Using MACsec, IT departments can now monitor and inspect internal LAN traffic. This capability is fundamental to Cisco’s Borderless Security Architecture, part of the Borderless Network vision. Now, Net Optics TAPs and Director xStream Pro are helping Cisco prove how vital MACsec is to the confidentiality and integrity of the LAN. Net Optics Director xStream Pro’s Live Data Statistics feature enables Cisco to demonstrate the secure exchange of data between switches. As shown in the illustration, Director xStream Pro’s GUI makes the contrast between MACsec encryption and unencrypted data dramatically visible. The display shows encrypted traffic as unreadable, while unencrypted traffic types are easily identified. Director xStream Pro’s Live Data Statistics capability also lets users import statistics into a SQL database or spreadsheet for compliance support and instant insight into network status and health. 5303 Betsy Ross Drive Santa Clara, CA 95054 Tel: +1 (408) 737-7777 www.netoptics.com Net Optics® is a registered trademark of Net Optics, an Ixia company. Copyright 1996-2013 Net Optics, an Ixia company. All rights reserved. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.