Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Merging Security Layers Aid DOD Cloud Security: Sponsored Content

As Layer 2 and Layer 3 capabilities mesh, new efficiencies are created.
By Henry S. Kenyon

As the U.S. government migrates to cloud-centric networks, the need to protect them from rapidly evolving cyber threats increases. Network encryption remains key to this, as it protects the integrity of classified and sensitive data and keeps defenses a step ahead of adversaries.

This shifting environment presents Defense Department planners with security challenges, especially as they ponder migrating to cloud-based data storage, processing, and analysis models. Securing information across military enterprise domains, which cover warfighters operating in austere, frontline networks to analysts working at headquarters in the continental U.S., is a daunting consideration, especially when sensitive and classified data must move between different security layers in the network.

A critical part of DOD network security is built around Layer 3 encryption and increasingly, Layer 2 encryption and the complimentary use of both layers and capabilities of the equipment and systems operating within them.

Commercial and government network encryption align to the layers of the Open Systems Interconnection (OSI) model with the numbers 1 through 6 assigned to each layer and their specifications. Appliance-based encryption for software and hardware systems and equipment is covered by layers 1, 2 or 3. For appliances falling under the Layer 2 and 3 categories, the National Security Agency defined two specifications: Ethernet Data Encryption-Cryptographic Interoperability Specification (EDE-CIS) for layer 2 and High Assurance Internet Protocol Encryptor (HAIPE) for layer 3.

HAIPE and EDE Encryption

The HAIPE or Layer 3 encryption specification is designed to provide a similar level of capabilities as the IP Security (IPsec) encryption standard. Appliances using HAIPE need to seamlessly interact with the network and any devices on it.

The HAIPE specification was originally written some 20 years ago to meet the government’s changing needs in the early, explosive days of the internet in the late 1990s when encryption requirements shifted from point-to-point security to protecting ad-hoc and mesh networks. While originally designed as strictly encryption applications with an IP interface, HAIPEs evolved over the last two decades across a variety of vendors.

Like HAIPE, the EDE-CIS is based on a commercial standard—IEEE’s MACsec—and adapted for use in secure government networks handling data up to Top Secret classification levels.

“The beauty of it is, not reinventing new specifications for government, but rather government is adopting commercial specifications in such a way that it is implemented in a high-assurance manner,” says Peter Davee, business unit director for Viasat Inc.’s cloud and infrastructure security products for government systems.

Other advantages modern HAIPEs offer are a network management interface, the ability for granular control for individual devices and groups of devices with the ability to exclude other groups. The specification also enables multicasting data streams and supports Ethernet tunneling.

Because it is based on the IP protocol, HAIPE integrates with existing IP route-based networks used by most government agencies and private sector contractors, including transport over IP-capable radio links and satellite services.

For cloud applications, Layer 3 HAIPE equipment is primarily an edge device pushing data to the cloud. This differs from Layer 2 EDEs, which are primarily for cloud infrastructure, enabling a fast and efficient flow of information between data centers and over a transport backbone, says Davee.

A big change in recent years is that Layer 2 encryption is pushing out to the edge of the network, where Layer 3 devices traditionally operate. Davee notes that Layer 2 applications and devices that were once considered infrastructure are beginning to appear in data aggregation centers—places where Layer 3 devices and products are used to aggregate thousands of data links into a single data pipe. These could be supported by Layer 2 devices as well, he says.

The evolution of Layer 2

In its initial uses, EDE Layer 2 encryption applications resided at the data center interconnect. Later, new capabilities such as multiple point-to-point models expanded the market for EDE into new areas like peering backbone connections, including transport networks, and enterprise networks that attach to data centers.

EDEs are an important part of protecting federal government cloud infrastructures. They defend cloud Data Center Interconnects (DCIs) and simplify the network workload, enabling secure high data throughputs at tens and hundreds of gigabits per second. Layer 2 devices have been successful enough in protecting government DCIs that it has led to increased demands on enterprise backbone networks connecting to cloud resources.

An important change is the migration of Layer 3 capabilities into Layer 2 devices. This provides network operators with the benefits of Layer 3 and the advantages of EDE Layer 2. Besides encryption, EDE devices are beginning to provide Layer 2 networks with certain switching capabilities, and like HAIPE, this permits more granular device and group control with the ability to exclude groups, reduces the overall network attack surface, and eliminates additional management needed for IP routes in plain text and cypher networks.

This is very important for organizations migrating capabilities from Layer 3 to Layer 2, says Darrell Lenning, a principal network engineer at Viasat. He notes that much of the ability to do a proper migration depends on an institution’s capability to provide the transport circuits. Using MACsec, an EDE can be used to “collapse” or reduce some of the complexity associated with IP boundaries and the routing challenges many organizations face because of this existing complexity, he says.

“To eliminate a lot of the administration for those devices, it’s certainly simpler to administer Layer 2 devices over Layer 3, especially in complex routed networks,” Lenning says.

Another aspect of EDE is the ability to push end-to-end encryption via Layer 2 circuits across an enterprise to the very edge of a network. For military users, this means providing secure communications for warfighters operating on battlefields at the fringes of DOD operational networks.

Bridging Layers 2 and 3 can be challenging, especially when dealing with legacy equipment. Lenning notes that major vendors such as Juniper and Cisco offer solutions to help organizations transition from synchronous optical network (SONET) to carrier Ethernet or other optical transport solutions such as dense wavelength division multiplexing (DWDM). In some cases, SONET and other optical transport systems are being replaced with DWDM capabilities, which permits them to connect their equipment with EDE solutions.

Additionally, transport protocols such as multiprotocol label switching (MPLS) can be supported by an EDE. For high speed backbones and data center interconnect circuits, this allows some of the carrier tagging mechanisms to be used and transported by MPLS, Lenning says.

Viasat’s security products are designed to work in this space, giving government users more options for connecting different OSI layers.

“Government networks combine flexible commercial products and protocols operating at Layers 1, 2 and 3. Our security products work in conjunction with those networks, securing those same protocols,” Davee says.

He adds that this is a combination of upgrading commercial routers and switches and installing Viasat security products designed to interoperate with a variety of products.

Growing impact on DOD

The meshing of EDE Layer 2 and HAIPE Layer 3 capabilities benefits military users in several ways. The first is efficiency because DOD agencies can reduce the amount of equipment they have to purchase and maintain. This is because data and aggregation points are being consolidated into single solutions, which is a major cost savings, Davee says.

Steady improvements in hardware technology also mean that devices and solutions are more efficient, allowing organizations to grow and expand their networks more effectively.

“We can have products that support designs where you can have a low-bandwidth connection point and a high-bandwidth connection point in the same hardware chassis. That gives some flexibility [to the DOD],” Davee says.

Eventually, Davee believes that platforms will support solutions where the system is high-assurance, but the connections are virtual and able to “flex” their bandwidth requirements within the software applications. He adds that the DOD’s goal is to have less equipment to maintain and manage while also being able to scale and flex its network connections in real time using automation or machine learning algorithms for improved efficiency.

“They [the DOD] want to see a seamless transition between a Layer 2 and a Layer 3 network that allows them to have the ability to start with Layer 2 and migrate to Layer 3, or vice versa, without actively having to manage that,” Davee says.

However, legacy equipment and infrastructure is an ongoing technical and financial challenge because more Layer 3 networks have been implemented in the DOD than Layer 2 networks. The intelligence community has more rapidly adopted Layer 2 networks while the military’s IT infrastructure is primarily Layer 3, notes Tony Ellison, director of business development sales at Viasat.

Viasat has products in its portfolio that can work in both Layer 2 and Layer 3 environments. This allows users to preserve their existing Layer 3 infrastructure and platforms and when they are ready to move to more efficient Layer 2 architectures, these products will permit a smooth transition.

“It’s easier when you have a brand new network and you can go either way. It’s different when you have existing networks you’re trying to modify or expand, because you’re talking about not just encryptors, but about routers and switching and all the other factors that go into the infrastructure space,” Ellison says.

Because Layer 2 and Layer 3 encryption are complementary, there are opportunities for EDEs to be used by DOD and federal agency transport and aggregation points. As network operators begin building dedicated Layer 2 network infrastructure, the advantages of high bandwidth, low latency and lower operating costs will become more attractive. Viasat wants to have a stake in this marketspace.

“We’re trying to walk that line, to allow the DOD specifically to have the option to [make the transition] when they’re ready. Due to the funding and magnitude of the effort required to change, they migrate a little slower than some groups who adopt the “latest and greatest” as soon as its available. Viasat’s goal is to provide them flexible products that allow them to invest without having to replace when they decide to make a transition,” Ellison says.

For a deeper dive into Layer 2 and Layer 3 networking visit: https://go.viasat.com/layer2layer3networking.html or call our team at 844-725-5608.

Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA