More Related Content Similar to Making networks secure with multi-layer encryption (20) Making networks secure with multi-layer encryption2. © 2022 ADVA. All rights reserved.
2
Network security provides secure foundation
Critical infrastructures require reliable networks
Confidentiality – Integrity – Availability
Required
Actual
Time
Security Level
3. © 2022 ADVA. All rights reserved.
3
Cryptography is crucial for network security
Encryption and authentication support different layers
Application
TLS/SSL (App)
SSH (Admin)
VPN IPsec (L3)
Transport
MACsec (L2)
OTNsec (L1)
Network
security
Firewalling
Segmentation
Encryption
Authentication
Intrusion Detection
>100 Gbit/s
1-100 Gbit/s
0,1-1 Gbit/s
<100 Mbit/s
<100 Mbit/s
4. © 2022 ADVA. All rights reserved.
4
Traditional VPN not sufficient for modern networks
Evolution of encryption requirements
VPN (IPsec)
Client-site (RAS)
Move to cloud
Mobile first
Site-site
Growing bandwidths
Network requirements
(QKD, Multi-tenancy)
TLS/SSL
PerApp VPN
MACsec
OTNsec
ZeroTrust
StrongAuth
5. © 2022 ADVA. All rights reserved.
5
Secure Out-Of-Band
Management
• Protection of management traffic
running over 3rd party networks
Client Separation
(„multi-tenancy“)
• Client-specific keys and management
• Cryptographic separation per interface
or per VLAN
Quantum-safe keys
• See:
„Quantum threat: How to protect your
optical network” tomorrow
Sidetrack: security for managed networks
Extended requirements especially for service provider
6. © 2022 ADVA. All rights reserved.
6
Multi-layer encryption covering every use case
Several encryption tunnel on different layers
OTNsec (L1)
MACsec (L2)
IPsec (L3)
TLS/SSL (L4++)
Mobile
Small office
Home office
Sub
Sub
HQ
Production
Cloud
7. © 2022 ADVA. All rights reserved.
7
How do we evaluate encryption quality?
Characteristics of encryption solutions
Strong encryption
Weak encryption
No encryption
8. © 2022 ADVA. All rights reserved.
8
What do you need for a strong encryption solution?
Powerful encryption in hardware with open, reviewed and
proven algorithms
Secret session keys with high entropy and periodic re-keying
Countermeasures against potential quantum computer attacks
Detection of physical and logical manipulation attempts
Review of architecture and implementation by independent
security bodies
Platform /
algorithm
Unpredictable
keys
Quantum-safe
Tamper-proof
Security
certifications
9. © 2022 ADVA. All rights reserved.
9
What does ADVA provide for encryption?
FPGA with Advanced Encryption Standard (AES) and 256 bits
encryption keys
Multiple true random number generators (TRNG) with ephemeral
keys allowing perfect forward secrecy (PFS)
Quantum key distribution (QKD) and post-quantum cryptography
(PQC)
Physical tamper protection, secure boot and secure software
download, on-board smart cards and eFuses
Certified by NIST and German BSI
Hardware
true random
number
generator
Classical and
PQC key
exchange
Suitable for
L1, L2, Lx
encryption
Self
protecting,
tamper
detection
Crypto agility
and full
flexibility
Platform /
algorithm
Unpredictable
keys
Quantum-safe
Tamper-proof
Security
certifications
10. © 2022 ADVA. All rights reserved.
10
Secure foundation by encryption and authentication
Network interface device* with MACsec hardware encryption and VNF
Compute Node (VNF)
Trusted Side Untrusted Side
Segment A Segment B Segment C
Network
security
(firewall, IDS,
IP VPN, etc.)
Network
segmentation
(physical and
virtual)
Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 Port 8 Port 9+10
*FSP 150-XG118Pro (CSH)
11. © 2022 ADVA. All rights reserved.
11
POP
POP
POP
Location 2
Location N
Location 1
Certified multi-layer encryption for SD-WAN
The big picture
Ethernet
1-100 Gbit/s
Optical (DWDM)
100-400 Gbit/s
FSP 150
(MACsec aggregation)
ENC
FSP 150
(MACsec, VNF)
FSP 150
(MACsec, VNF)
FSP 150
(MACsec, VNF)
FSP 150
(MACsec aggregation)
FSP 3000
FSP 3000
FSP 3000
ENC
…
12. © 2022 ADVA. All rights reserved.
12
Stephan Lehmann
Senior product line manager
+49 151 44 01 40 42
slehmann@adva.com
linkedin.com/in/stelehmann/
Encryption and authentication
on multiple layers for a secure
foundation for modern and
software-defined networks
Security-certified and carrier-
grade solutions to secure
optical transport (Layer 1) and
metro networks (Layer 2)
Further listening:
„Quantum threat: How to
protect your optical network”
by Vincent Sleiffer on Friday
Further
reading:
Making networks secure with multi-layer encryption
Takeaways