Uploaded byADVA
Making networks secure with multi-layer encryption
The document outlines the importance of multi-layer encryption for enhancing network security, especially for critical infrastructures, by integrating various encryption protocols across multiple layers. It emphasizes the evolution of encryption needs in modern networks and discusses the advancements provided by ADVA, including quantum-safe technologies and secure management solutions. The summary highlights the necessity of robust encryption mechanisms and the assurance of security certifications in creating a safe networking environment.
More Related Content
Similar to Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryption
- 1. Making networks securewith multi-layer encryption 22 September 2022 Stephan Lehmann
- 2. © 2022 ADVA.All rights reserved. 2 Network security provides secure foundation Critical infrastructures require reliable networks Confidentiality – Integrity – Availability Required Actual Time Security Level
- 3. © 2022 ADVA.All rights reserved. 3 Cryptography is crucial for network security Encryption and authentication support different layers Application TLS/SSL (App) SSH (Admin) VPN IPsec (L3) Transport MACsec (L2) OTNsec (L1) Network security Firewalling Segmentation Encryption Authentication Intrusion Detection >100 Gbit/s 1-100 Gbit/s 0,1-1 Gbit/s <100 Mbit/s <100 Mbit/s
- 4. © 2022 ADVA.All rights reserved. 4 Traditional VPN not sufficient for modern networks Evolution of encryption requirements VPN (IPsec) Client-site (RAS) Move to cloud Mobile first Site-site Growing bandwidths Network requirements (QKD, Multi-tenancy) TLS/SSL PerApp VPN MACsec OTNsec ZeroTrust StrongAuth
- 5. © 2022 ADVA.All rights reserved. 5 Secure Out-Of-Band Management • Protection of management traffic running over 3rd party networks Client Separation („multi-tenancy“) • Client-specific keys and management • Cryptographic separation per interface or per VLAN Quantum-safe keys • See: „Quantum threat: How to protect your optical network” tomorrow Sidetrack: security for managed networks Extended requirements especially for service provider
- 6. © 2022 ADVA.All rights reserved. 6 Multi-layer encryption covering every use case Several encryption tunnel on different layers OTNsec (L1) MACsec (L2) IPsec (L3) TLS/SSL (L4++) Mobile Small office Home office Sub Sub HQ Production Cloud
- 7. © 2022 ADVA.All rights reserved. 7 How do we evaluate encryption quality? Characteristics of encryption solutions Strong encryption Weak encryption No encryption
- 8. © 2022 ADVA.All rights reserved. 8 What do you need for a strong encryption solution? Powerful encryption in hardware with open, reviewed and proven algorithms Secret session keys with high entropy and periodic re-keying Countermeasures against potential quantum computer attacks Detection of physical and logical manipulation attempts Review of architecture and implementation by independent security bodies Platform / algorithm Unpredictable keys Quantum-safe Tamper-proof Security certifications
- 9. © 2022 ADVA.All rights reserved. 9 What does ADVA provide for encryption? FPGA with Advanced Encryption Standard (AES) and 256 bits encryption keys Multiple true random number generators (TRNG) with ephemeral keys allowing perfect forward secrecy (PFS) Quantum key distribution (QKD) and post-quantum cryptography (PQC) Physical tamper protection, secure boot and secure software download, on-board smart cards and eFuses Certified by NIST and German BSI Hardware true random number generator Classical and PQC key exchange Suitable for L1, L2, Lx encryption Self protecting, tamper detection Crypto agility and full flexibility Platform / algorithm Unpredictable keys Quantum-safe Tamper-proof Security certifications
- 10. © 2022 ADVA.All rights reserved. 10 Secure foundation by encryption and authentication Network interface device* with MACsec hardware encryption and VNF Compute Node (VNF) Trusted Side Untrusted Side Segment A Segment B Segment C Network security (firewall, IDS, IP VPN, etc.) Network segmentation (physical and virtual) Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 Port 8 Port 9+10 *FSP 150-XG118Pro (CSH)
- 11. © 2022 ADVA.All rights reserved. 11 POP POP POP Location 2 Location N Location 1 Certified multi-layer encryption for SD-WAN The big picture Ethernet 1-100 Gbit/s Optical (DWDM) 100-400 Gbit/s FSP 150 (MACsec aggregation) ENC FSP 150 (MACsec, VNF) FSP 150 (MACsec, VNF) FSP 150 (MACsec, VNF) FSP 150 (MACsec aggregation) FSP 3000 FSP 3000 FSP 3000 ENC …
- 12. © 2022 ADVA.All rights reserved. 12 Stephan Lehmann Senior product line manager +49 151 44 01 40 42 slehmann@adva.com linkedin.com/in/stelehmann/ Encryption and authentication on multiple layers for a secure foundation for modern and software-defined networks Security-certified and carrier- grade solutions to secure optical transport (Layer 1) and metro networks (Layer 2) Further listening: „Quantum threat: How to protect your optical network” by Vincent Sleiffer on Friday Further reading: Making networks secure with multi-layer encryption Takeaways