A number of forces drive the need for increased data security, including protecting corporate information and trade secrets, government regulation, trade partner privacy agreements, and customer expectations. For example, in banking and finance, the payment card industry has very strict digital security standards to prevent credit card information from being stolen from the network. The healthcare industry has regulations, including HIPAA and HITECH, to insure that sensitive personal health information is secure.
Current solution: the VPN tunnel
Many organizations don’t encrypt their data over the WAN because it’s traveling on a “safe” multiprotocol label switching (MPLS) network. Although MPLS networks provide more reliable connections than the Internet and aren’t as public, they cannot be counted upon to be private — they’re still vulnerable to attack. It is important to understand that VPNs and technologies such as MPLS are not encrypted by default, and so require additional security measures to protect data. Even if the network is “private” or “virtually private,” it is still subject to attacks. Data sent on MPLS networks is kept separate from other traffic, but it is not encrypted. What’s more interesting is that over the past few years, many MPLS carriers have merged their private WANs and Internet backbones, further reducing security in the process.
Breaking out of the tunnel
IPsec VPN tunnels are fairly simple to set up between only two points. However, when remote sites multiply, the number of tunnels increases exponentially. A tunnel is needed between each pair of sites (Fig. 1), leading to administrative hassles every time a remote site is added. EncrypTight™ eliminates the need to establish point-to-point tunnels between each pair of remote sites, freeing network administrators for other tasks. With EncrypTight, every site on your WAN can establish an instant encrypted connection to every other site equipped with an EncrypTight appliance.
How is EncrypTight different than a VPN?
The EncrypTight solution is based on group encryption in which the encryption keys are centrally generated and securely sent to the EncrypTight appliances. This enables you to manage policy and key distribution centrally instead of on a time-consuming, site-by-site basis, as is the case with VPNs. EncrypTight enables you to secure ”data in motion” in a way that is transparent to network architectures and protocols. And, if you decide to migrate to the Internet from MPLS networks using EncrypTight, you don’t experience any service interruptions.
Layer 4 encryption
In addition to Layer 2 Ethernet frame encryption and Layer 3 IP packet encryption, EncrypTight offers a Layer 4 payload-only encryption option. Layer 4 encryption offers many advantages, including:
- Ability to pass encrypted data through NAT devices. VPN tunnels, which encapsulate the Layer 3 address, often don’t work with NAT.
- Compatibility with policy-based routing and load balancing that require Layer 3 addresses to be intact.
- Layer 4 encryption leaves Layer 3 headers intact, making it possible to troubleshoot a network without turning off encryption.
- Because headers are intact, data looks unencrypted, making it possible to use within countries that restrict encrypted data.
Faster, safer, cheaper
If you want to lower costs and increase throughput, consider EncrypTight. It will enable you to quickly and easily set up a fully encrypted “mesh” that provides high-speed, secure, any-to-any connectivity over any public (or private) network. You can switch from expensive, private WAN links to inexpensive, public Internet connections with much greater bandwidth (Fig. 2). Plus, you’ll get a fully compliant solution that offers security via encryption and ongoing authentication.
For more information on EncrypTight, and to download our free White Paper Group Encryption: The key to protecting data in motion, visit blackbox.com/go/EncrypTight.