|« Why you need 100Gig in your Metro network||Monitoring data transport with tap ports »|
Trust in secure data transport was always fragile and now it's gone. Edward Snowden exposures' on common spy practice revealed, what some of us already had a gut feeling about all the way.
Over the last months we all realized, that any means of communication, regardless if voice or data of any kind, are intercepted. In a massive way! It appears that about all secret services were and still are sniffing and taping intoevery single phone call, internet page accessed or email sent, regardless from which part of the globe to which recipient, under the all justifying "terror prevention tag".
After Mr. Snowden's NSA whistleblowing, further nations and secret services, like the British, were revealed to behave in exactly the same manner. Given the targets of the sniffing attacks, it has also become more than evident that the retrieved information provides multiple usage. Apart from so called terror prevention, a lot is bluntly industrial espionage. In this light the desire for more privacy, to limit the share of information between the sender and anticipated receiver has become imminent on a large scale.
The questions rising now are, how to make sure that communication is kept private and not intercepted by any government or private organisation? It sure is encryption. However, encryption on the internet comes in many flavors.
Today's communication networks are based on the philosophy to enable all kinds of applications and services on the same infrastructure and "communication transport mean", in contrast to having separate networks for different applications. This evidently reduces the cost for network structures but also becomes more vulnerable to attacks: just tap into 1 fiber and you get it all! While e.g. mobile phones are enabling a cable free connection, the radio transmission is only used to link to the next antenna, which is around 100m to 5km away. From this point onwards the aggregated mobile phone traffic is transported over a fiber optic network. But this fiber optic network is also used for all other forms of communication: internet, sending emails, fixed line phone connections, video sharing, TV channel broadcasting etc. A taping into such a fiber therefore, allows to listen into all through passing communication traffic.
Any communication network is based on a layered structure, called the 7 layer OSI model. The lowest layer is the physical media that transports the data (radio waves, copper wires, glass fibers) while the 7th layer represents the application (email, voice transfer etc). The easiest approach for the end users of network infrastructure to encrypt their communication is based on the higher layers, e.g. encrypt a text before sending it as email.
This has several disadvantages:
- End users have to apply the encryption (remember: the biggest threat to network security is the user himself)
- The encryption process is rather complicated and time consuming
- Different applications need to be encrypted separately
- Meta data is still visible (e.g. who sends whom an email)
It is a much better approach not to rely on encrypting application data, but to perform the encryption on a much lower layer. Commonly, this is applied at the middle (4th) so called "Transport Layer", in form of the SSL encryption. Widely used for i.e. online banking. Another approach is the next lower, the 3rd "Network Layer" via an Internet Protocol Security Encryption (IPSec). This layer circumvents the security threat of having users forgeting to encrypt or the need to encrypt at unacceptable efforts.
However, while IPSec and SSL are claimed highly secure, the unwanted de-/encryption by 3rd parties cannot be excluded. Furthermore, the encryption on this layer is adding a high latency on the data transmission - which also explains why SSL and IPSec are usually only performed on non-time-critical, low bandwidth communications, such as online payments. As soon as high amounts of data (e.g. video streams) need to be shiped, the latency becomes a big issue, as the transfer times are getting too slow.
Last but not least, also with SSL and IPSec two traditional problems with encryption remain:
- the complexity of managing encryption keys
- sender and receiver addresses are still visible (IP addresses!)
The best solution in all aspects is therefore, the encrypt communication on the lowest possible layer, the Data Link Layer. This is the 2nd layer right above the physical cable, fiber infrastructure.
This not only provides the easiest form for the user (doesn't perform any encryption at all), Layer 2 also intrinsically covers encryption for any data that is send over the infrastructure and prevents tracking of sender to receiver information (down to user or down to IP address). This technology is furthermore, adding the lowest possible latency to the data transmission and therefore, enables highest bandwidth data throughput which is necessary for many of today's applications.
And by all means it is the easiest to implement encryption technology since also the key management is automated by the end-point physical data transport systems. Layer 2 encryption can be implemented for point-to-point networks as well as point-to-multipoint or multipoint-to-multipoint architectures for data rates of multiple 10Gbps.
Comparison of IPsec encrypted packets, transported via the underlying Ethernet structure versus Layer 2 encrypted data with all headers encrypted except MAC header and CRC checksums.