Download ATmedia GmbH

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Zigbee wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Computer network wikipedia , lookup

IEEE 1355 wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer security wikipedia , lookup

Internet protocol suite wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Synchronous optical networking wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Transcript 
High Speed Encryption Made in Germany
Today‘s Trends in Network Encryption
2
Today‘s Trends in Network Encryption
Contents
• Background ATMedia GmbH
• Why Encryption?
• Which Encryption?
• How to deploy Encryption
3
ATMedia GmbH
• ATMedia GmbH founded in 1996
• Privately owned and independent German company
• Development, production and distribution of high-speed network
security products
• Encryption products up to 10G with a BSI/NATO/EU approvals
• Suisse Partner: DeltaNet AG
4
Security Risks of WAN-connections
WAN connections are not secure if:
-
Value of the data is higher than the costs of getting the data
Risk of detection is low
A short reminder ….
5
Security Risks of WAN-connections
WAN security categories
☺ „real“ WAN network connections
– Dark Fiber
– WDM
– SONET/SDH
„virtual“ WAN networks
– MPLS
– Carrier Ethernet / VPLS
– IP Services
6
Security of Fiber WAN connections
Low Tech risk analysis
• Physical access to Fibers easy
• Fibre emits light
• Light can be detected
7
Security of Fiber WAN connections
WDM does not add security
• Coupling out
Spectrum analysis
Filter
Detector
– Looks like a WDM system (analysis not really needed)
• Analysis of data content
– Detection of speed and type
• Capturing of „needed“ data
– Hardware „FPGA“ Filter
disk storage
• Costs ~ 5 digits
• Patents e.g. from DTAG: EP 0915356A1
8
Security of real Fiber WAN connections
Counteractions
• Fiber monitoring
– Good for debugging but no reliable detection of attacks
– “False positive” rate extremely high
• Fiber protection
– Extremely expensive and not reliable
• Encryption
– Only reliable measure, no economical worthwhile attacks possible
9
Security of “virtual” WAN connections
„virtual“ connections
•
•
•
•
•
No physical access needed for eavesdropping
Data can be rerouted or duplicated by a mouse click
All members of the group known?
Is it really “Private”`?
„VPN“ is misleading regarding security risks and resulting liabilities
Encryption is essential
10
Selection of WAN Security Products
•
Firewall, IDS (incl. DPI)
– Protection against unwanted connections
– No protection against manipulation and eavesdropping
– Challenge of „defective“ protocols (VoIP, …)
– Additional application gateways needed
– Works for “known” protocols and applications only
•
Encryption (VPN)
– Cryptographic access control
– Data protected against manipulation and eavesdropping
– Offers protection for all protocols and applications
11
Selection of WAN Security Products
•
Firewall, IDS (incl. DPI)
Extensive use of hardware and software
•
Encryption (VPN)
Dedicated hardware
12
Selection of Encryption Equipment
„integrated“ (add-on) Encryption
Firewall, Router, Switch, Director, Multiplexor
–
–
–
–
–
Minor security performance
High Risk of Denial of Service
Encryption easily to bypass
Encryption often at IP level
Key management?
Combination of many different security functions in one device not
optimal
13
Encryption Checklist
•
•
•
•
Encryption „main function” of the device (no giveaway)
One security level for the whole system
No „security by obscurity“ arguments
Use of open and well known algorithms (AES, ECC, …)
• Perfect Forward Secrecy (long term security)
• Real security reviews by 3rd parties
• Transparency of the whole chain from manufacturer to the integrator
14
Layer 2 or Layer 3 ?
Layer 3 Encryption = IPSec
IP
Universal, high complexity => high overhead
Low speed IP networks (DSL, UMTS, LTE)
Most implementations software only
Impact on QoS, challenge of stream prioritization
Multicast support difficult
IP V6, MPLS, VLAN Separation ?
15
Layer 2 or Layer 3 ?
Layer 2 Encryption
Network layer below IP and MPLS
Less complexity => low overhead
Hardware implementation: minimal Delay and Jitter
Optimal for real-time communication (VoIP, Video, Terminal-Services)
QoS and prioritization conserved
Transparent to IP V4+V6, MPLS, VLAN, …
16
Layer 2 or Layer 3
Marketing:
100
Throughput in % of link speed
95
90
85
80
Layer 2 Encryptor = link speed
75
IPSec (theoretical maximum)
70
65
60
TCP PDU
VOIP/
Citrix
TCP Ack
55
50
64
128
256
512
1024
1280
1518
9000
Ethernet frame size in bytes
17
Layer 2 or Layer 3
Fair comparison:
100
Throughput in % of link speed
95
90
85
80
Layer 2 Encryptor (auth replay)
75
IPSec (auth replay)
70
65
TCP Ack
55
TCP PDU
VOIP/
Citrix
60
50
64
128
256
512
1024
1280
1518
9000
Ethernet frame size in bytes
18
Real Layer 2 VPN: Carrier Ethernet
• Point-to-Point: E-Line
• Point-to-Multipoint: E-Tree
19
Real Layer 2 VPN: Carrier Ethernet
• Full Multipoint: E-LAN
Offered as “crypto service” by some carriers
(Inside-IT Ethernet Encryption market overview 2010)
20
Real MPLS VPN: MPLS Layer 2 WAN
• MPLS used as Layer 2 transport
• VPLS or Pseudo-Wires
• Works for Point-to-Point and Multipoint networks
21
Real MPLS VPN: MPLS over Layer 2
• Local MPLS networks connected via Layer 2 WAN connections
• Point-to-Point Encryption of the WAN connection
• Special case: “private” MPLS where all P and PE Routers are
interconnected by encrypted Layer 2 connections
22
Real MPLS VPN: Full MPLS Encryption
•
•
•
•
MPLS services of WAN and LAN connected
PE serves as “service multiplexor”
ATM
All MPLS data is encrypted
Works for Point-to-Point and Multipoint scenarios
23
Important Layer 2 Scenario: Storage
SAN Security often “forgotten”:
• Aggregation of Storage and Data services (1G-4G)
• TDM System multiplexes services into a 10G SDH link
• Encryption of the SDH link with a 10G SONET/SDH Encryptor
Certified Secure Data Centre Interconnection
24
ATMedia Solutions
10M Ethernet
100M Ethernet
1G Ethernet
155M-2.4G SDH
•
•
•
•
10G Ethernet
10G SONET/SDH
19“ chassis
Redundant power supplies with dual inputs
Approved by the BSI for VS-NfD, EU and NATO
OEM versions certified for FIPS 140-2 L3 and CC EAL3
25
Summary
• Any network communication can be intercepted and manipulated
• Risk depends on the value of content and availability of the data
• Reliable Encryption is the only effective countermeasure
• Encryption solutions for most network scenarios available
26
Contact
ATMedia GmbH
DeltaNet AG
Science Park 1
66123 Saarbruecken
Germany
Riedstrasse 8
8953 Dietikon
Suisse
phone:
fax:
phone: +41 43 322 40 50
fax:
+41 43 322 40 51
+49 681 842477
+49 681 842481
[email protected]
www.atmedia.de
[email protected]
www.deltanet.ch
27
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
50 Word Company Description 100 Word
50 Word Company Description 100 Word
a common digital Europe
a common digital Europe
Are you looking for an easier way to initiate and
Are you looking for an easier way to initiate and
Database Security
Database Security
BitLocker Drive Encryption Self
BitLocker Drive Encryption Self
All Definitions for
All Definitions for
Network Security: It`s Time to Take It Seriously
Network Security: It`s Time to Take It Seriously
Database Confidentiality
Database Confidentiality
WAN Data Networks
WAN Data Networks
Innovative Applications of Artificial Intelligence Techniques in
Innovative Applications of Artificial Intelligence Techniques in
ch._1_-_guided_reading
ch._1_-_guided_reading
Protection of outsou..
Protection of outsou..
Acronym
Acronym