Complete LAN Encrytpion

Unanswered Question
Mar 17th, 2010


My organization has a security office who is trying to make our IT department's security posture hyper-secure.  One suggestion that the security officer is pushing hard is that all internal "data in transit" is encrypted with IPSec (they're not talking about WLAN).  He envisions our Windows servers and our Windows XP clients transferring data only over IPSec with AH and ESP only (OS doing the encryption).  Nothing in the clear on the LAN.

While I understand the need for security, encryption for "data at rest" and the absolute need for encryption as one of the security elements outside of our corporate LAN, it seems to me that we would lose a lot more than we gain if this proposal is implemented by management.  My concerns are:

1.  We lose the ability to effectively apply QoS / CoS based on application type (everything comes across as port 500)

2.  Losing QoS / CoS makes our multi-service network supporting Unified Communications (VoIP) much less predictable

3.  We lose the ability to create an Application aware network (meaning I can't apply PBR, advanced security features such as the ASA BotNet detector, have automatic trust boundarys set up with CDP, etc.)

4.  Because it appears that the network becomes little more than dumb pipes, if a server becomes compromised, we have no additional lines of defense (meaning we don't have network based behavior analytics, firewall policies, in-line AV, IPS/IDS, etc.)

5.  We lose the ability to use tools like NetFlow and perhaps IPSLA.

It seems that if complete LAN encryption (using the OS has the encrypting engine) does turn the network in to dumb pipes, the network actually becomes less secure.

Is anyone actually performing total LAN encryption or is this just a security pipe dream?  If someone is doing this, how is QoS / CoS supported?  How is capacity planning performed?  How do you identify top applications (many of our applications reside on the same server and have the same IP address)?

If this is a bad concept what kind of technical rebuttles should be used?

Thanks for your feed back!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jon Marshall Wed, 03/17/2010 - 11:04


If this is a bad concept what kind of technical rebuttles should be used?

Ah, security people eh ? The unofficial technical rebuttal is that he is an idiot but i guess you need more than that

Does this guy have any network knowledge ? I ask because i have come up against security people with little or not network knowledge suggesting things that just aren't practical. My personal favourite was at the last company i worked where we had a network for 20000 users covering the whole of the UK. The new security guy had used ISA firewall at his old place to authenticate DHCP on a flat L2 switched network. So his proposal was to convert our entire network into a flat L2 network. Needless to say it didn't happen.

I haven't come across a network that is end-to-end encrypted internally although i can't say for sure they don't exist. Your level of security would need to be extremely high to even justify considering it. I think you have covered a lot of the technical reasons for not doing it ie. your intelligent network now becomes almost completely blind and you lose an awful lot the functionality that you have probably paid a good deal of money for. I wouldn't like to think what it would do to end user performance either.

The functionality of the network aside I think one of the key arguments you made was that by encryptiing everything your'e actualllly potentially making things worse because now you have pretty much lost all visibility of what your internal users are doing. And if he says that's okay because the internal users can be trusted then why do you need to encrypt the traffic anyway ?

There are so many other security features that can be used and it might be worth trying to understand exactly what he is trying to protect against. More importantly is he honestly saying that every bit of data on the network is so sensitive it needs encrypting ? - unlikely and costly.

Perhaps if he could outline his concerns in a more specific way you could then address them with the features available in your network already ?


Ken Douglas Wed, 03/17/2010 - 13:13


Thanks for your reply.  You've validated my thoughts (including your first comment!).

I think your points are succinct and very relevant.  I've heard about the concept of encrypting all data on the protected LAN but mostly from Microsoft folks (Let Microsoft handle your network security).

BTW... your first comment made my network manager laugh...



Leo Laohoo Wed, 03/17/2010 - 15:38

Wow.  Someone's gotta lay off on their intake of Prozac.

I have a good document to debate on this.  Because we are managing a government network, we have to follow the strict guidelines.  Our guidelines are shared among countries like US, UK, Canada, Germany, etc under a term called Common Criterea (CC).

I have no idea what country you are in but if you find this manual and throw the book at `em (literally, the book is about 3 cm thick!) he/she might back down.  If their (in)security is worst than your country's government guidelines then the IT security needs to talk to the men-in-white.

Complete LAN Encryption is, to be frank, slows down the LAN.  You need enough CPU/ASIC power to encrypt data and push it across.

Leo Laohoo Wed, 03/17/2010 - 19:01

Have you checked out the new 3560X and 3750X series?  Look at the new feature called MACsec (MAC security).

The Cisco Catalyst 3750-X and 3560-X Series Switches offer exceptional security with integrated hardware support for MACsec defined in IEEE 802.1AE. MACsec provides MAC layer encryption over wired networks using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) protocol provides the required session keys and manages the keys required for encryption when configured. MKA and MACsec are implemented following successful authentication using 802.1x Extensible Authentication Protocol (EAP) framework. In Cisco Catalyst 3750-X and 3560-X Series Switches only the user/down-link ports (links between the switch and endpoint devices such as a PC or IP phone) can be secured using MACsec.

Cisco Catalyst 3750-X and 3560-X Series Switches Data Sheet

dlignier Fri, 01/07/2011 - 01:29


Is it possible to configure macsec on interface in trunk mode between two 3750-X (two sites connected in lan to lan) ?


hobbe Wed, 02/16/2011 - 00:40

no it is not possible at this time to connect two 3750x with encrypted links towards eachother.

but it will be in the near future acording to my cisco contacts.

this is, for me atleast a much sought after feature.

And to the original poster about a year late or so so I doubt that you will have any use of my info but who knows someone might,

Yes I have seen such networks, but they are few and there is a reason for them to be few.

Its a big total pain to even try to make that work even "half decent" in a "normal" produktion environment.

and i have never seen any such network with more than a few computers.

trust me, It costs lots more than it tastes.

but if he wants that, then setup a testenvironment.

after that he might back down.

Its all good in theory,

In theory, theory and practice is the same, in practice its not.

Good luck


sean_evershed Fri, 01/07/2011 - 07:28

I'm a bit confused, if security is so important to your company, how come you are still running Windows XP clients and Windows servers?

You should be using dumb terminals connected to a mainframe.

Another thing to consider is the increase in bandwidth consumption caused by the encrypted packets. You are going to be adding about 53 bytes to every packet.

If in effect you are making your network less secure by adopting this model a significant percentage of computer crime is actually committed by internal employees rather than external hackers.

Good luck


Hi guys!

Looking for a L2 wan point to point encryption solution, I did some basic research about MACSEC/TRUSTSEC, and I want to confirm with you what I have  observed:

-TrustSec is the Cisco implementation for MSCSEC (IEEE 802.1AE).

-TurstSec has been created for a whole solution of encryption, integrity, authentication, where the whole the network is speaking TrustSec.  Additionaly, TrustSec works together other sec devices and protocols (NAC, 802.1X, ACS).

-TrustSec could authenticate/authorizate a user or device taging his frame L2.

-Here a brief Solution Overview:

-->Can someone confirm my perception that TrustSec is a whole solution for L2 encryption, authentication and integrity?

-->Do someone knows a solution (device or protocol) to encrypt a L2 wan point to point (a inter-site L2 trunk for example)??

Best regards,

Carlos Manzo

hobbe Thu, 03/24/2011 - 08:06

Working today when it comes to cisco 802.1AE is a 7000 towards a 3750x

have not tested this myself though.

AFAIK the 3750x will support links inbetween them in a coming release. Soon.

I am waiting for this version and can tell you when I get it working.

A thing to remember is that the 802.1ae does not (today) support l2 or above links, only L1.

If you are looking outside the scope of 802.1ae you do have lots of encryption hardware that will encrypt your wan link information.

one cheap way to do that is to use the router with ipsec or a firewall.

The link type encryption devices are normally quite expensive.

but there are several companies that is out there that supports point to point encryption.

the faster you want them the more expensive they become.

Good luck



This Discussion