presented by

Illustration courtesy of General Dynamics Mission Systems.

In this Q&A with Dave Kornbau, technical director and engineering fellow for Cyber Systems at General Dynamics Mission Systems, we discuss: the differences between Layer 2 and Layer 3 encryption, the factors to consider when building network architecture, and military applications where this type of encryption security is needed.

Breaking Defense: Explain what is meant by a hybrid approach to encryption; the hybrid approach consists of what elements?

Dave Kornbau, Technical Director and Engineering Fellow for Cyber Systems at General Dynamics Mission Systems.

Kornbau: A hybrid approach to encryption is the use of both Layer 3 (L3) High Assurance IP Encryptors (HAIPE) and Layer 2 (L2) Ethernet Data Encryption (EDE) devices positioned appropriately in a network architecture. This concept positions the EDE devices, similar to MACsec (Media Access Control security), in the high-speed core of the network, and the HAIPE devices, similar to IPsec (Internet Protocol security), for high-volume, lower-speed, edge device encryption.

Both HAIPE and EDE are government specifications for protecting national-security data. HAIPE and EDE devices support different use cases – and selecting the right encryption technology depends on several factors such as transport availability, performance and bandwidth requirements, and scalability of the design. Scalability in this case would refer to the number of spokes, connection points, and the overall encryption needs. One solution isn’t necessarily better than the other. They both offer high assurance encryption and using the right one in the right location is an important factor when building out a secure network architecture.

Breaking Defense: What are the differences between Layer 2 Ethernet and Layer 3 IP encryption that you are referring to and when can they be used together?

Kornbau: L3 encryption is extremely flexible from a transport service perspective – IP can operate over any public or private network. This is ideal for mobile and tactical environments because of its support for routing. It offers an order of magnitude in increased scalability for the number of security associations supported, allowing the potential to support thousands of security associations. L3 encryption offers many configuration options and end-to-end traffic protection.

L2 encryption is a different tool to solve some challenges that L3 encryption faces. Today, fewer applications are running locally as many applications run from a centralized location like the cloud. This drives the need for higher-speed transports. Increased bandwidth demands over the WAN for branch, application and data centers is ideal for L2 since it offers higher speeds.

In addition, highly resilient cloud computing resources and architectures drive higher-speed data-center interconnects and high-speed replication requirements. L2 encryption offers significantly higher speeds than L3 encryption. L2 is extremely dependent on the underlying transport such as an Ethernet service offering, dark fiber or other L2 services. However, L2 is easier to configure and operate and offers a per-hop traffic protection.

L2 and L3 encryption technologies complement each other depending on the use case, transport and bandwidth needs. They offer network design options that mix scale, performance, and leverage different services.

Breaking Defense: What’s the military application for these types of encryption? Where and how are they used?

Kornbau: One of the needs we are seeing in terms of military data security is in high-risk deployments that occur at the tactical edge. To protect the warfighter, their platforms, equipment, and information, the government has increased its use of unattended and unmanned systems.

Unmanned technology is used for intelligence, surveillance and reconnaissance (ISR) missions, combat missions, research and development, to name a few. We can see these types of deployments using L3 encryption methods, specifically HAIPE-compliant devices to ensure high-assurance security and interoperability. L3 is typically used to secure applications with mobile requirements and is ideal for unmanned vehicles, and for remote- or forward- deployed teams with needs to reach back to command centers.

On the other hand, L2 encryption is used at the enterprise and data center core where data is collected, stored, shared and analyzed. We are seeing an increased need for higher bandwidth on the enterprise side from activities like data-center consolidation and interconnects. This concept of operations demands high-speed performance from point A to B, making L2 Ethernet the optimal choice due to the low latency, simplified architectural complexity, and performance advantages.

Breaking Defense: Which of the General Dynamics Mission Systems solutions are targeted at these types of encryption, and what makes them effective?

Kornbau: Whether your network architecture is designed to support Ethernet L2 or IP L3, General Dynamics Mission Systems offers a comprehensive network encryption portfolio to secure military and intelligence community missions from the tactical edge to the enterprise. The TACLANE family of network encryptors has been protecting the most critical national-security systems for over 20 years and is the most widely deployed base of high assurance encryptors in the world. Our HAIPE encryptors include SWAP-C optimized devices to support multiple, mobile users at the tactical edge with enterprise reach back supporting 200 Mb/s – 20 Gb/s throughput.

To support the growing high-performance needs of customers, General Dynamics Mission Systems is expanding the TACLANE portfolio by introducing the new TACLANE E-Series to support enterprise-focused security and EDE-CIS compliant solutions.

The TACLANE-ES10 (KG-185A) will be the first encryptor in the new TACLANE E-Series and will support the low latency, security, and performance requirements of high-speed (2-20 Gb/s aggregate) L2 network backbones and mission applications that address data center and campus interoperability, cloud and big data processing.

Designed to be compliant with the latest EDE Specification, the TACLANE-ES10 (KG-185A) is the perfect replacement for legacy Ethernet Security Specification (ESS), SONET and other link encryptors. The E-Series also includes modular solutions to support IT-friendly solutions supporting 20-400 Gb/s and eventually 1.6 Tb/s throughput.

If your readers are interested in staying up to date with the latest in high assurance network and Crypto Modernization solutions for L3 HAIPE and L2 EDE-CIS, please visit http://www.gdmissionsystems.com/taclane.