Hardware Based Encryption

Answered Question
Sep 22nd, 2012

Hello Guys,


Is there any way to encrypt data travelling on WAN link without establishing VPN between sites ?    if yes please let me know what hardware can do this task


I m asking this question because >

We have an existing HQ with 20-existing branches connected to HQ through VPN links over internet cloud.  and we are planning to discard 3 of the existing branches internet link and provide them  DATA-Link through micro-wave, so while they are connected through micro-wave data-link  the actual data which is transmitted between those 3-branches to HQ will not be encrypted because we are not going to establish vpn between HQ and those 3-brs.  so here we want to have some sort of Router to encrypt the data at Hardware Level without needing to have vpn link established.

I have this problem too.
0 votes
Correct Answer by hobbe about 1 year 7 months ago

Hi

Yes 802.1ae works with just the switches nothing else is required.

There is no AAA of persons involved its just device port to device port from port x on switch one to port y on switch two.

(actually you can use 802.1ae to also encrypt links between a computer and the switch but this is not the case in this scenario then weg are talking about Trustsec)

Trustsec is a big framework not just 802.1ae and macsec is a part of that framework. So in this scenario they are basically interchangeable.

Here are some scenarios

You have leased 2 racks in a hosting company, but they are some racks inbetween them and you would like to have a secure communications line inbetween your two racks.

You can then run 802.1ae inbetween them and all the traffic on that link will be encrypted.

Another scenario would be

You are in a building and you have access to several floors but inbetween these floors there are other tenants and you want to secure your communication links so that they can not listen in on them.

And ofcourse your own scenario

you have two different buildings and you want to connect them and have an encrypted link between the buildings.

There is one big thing with 802.1ae and that is there can only be layer 1 devices inbetween the switches.

ie you can not use anything that needs to go above that layer. that will break the 802.1ae encryption scheme.

and ofcourse links.

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html

http://www.cisco.com/en/US/netsol/ns1051/index.html

Thanks for the ratings.

Good luck

Hope This Helps

Correct Answer by hobbe about 1 year 7 months ago

Hi

It is AES 128 bit.

AES is a newer encryption standard than the 3DES and afaik it has basically replaced the 3DES as the standard encryption method used for new sites today.

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_overview_c22-591771.html

No the 3550 does not support it.

You will need to go to fx 3560x 3750x and so on.

Good luck

Hope This Helps

Correct Answer by hobbe about 1 year 7 months ago

Hi

Since VPN is a concept not a product the answer to your question is always Yes and no but it depends.

VPN = Virtual Private Network

It is a concept that through encryption you will have your "own" network on a link where others might also reside.

Ie just the thing you are asking for.

First of all you can still have the same type of VPN over the microwave-links as you would over the Internet.

no difference except that instead of going over an ISP you doing it over a Microwave link.

Will the links be L1, if so then you can use switches with 802.1ae Macsec.

There are a bunch of  different boxes that encrypts everything that comes in in one end and sends it to another box on the other end and decrypts it there and vice verse. However those boxes tend to be quite expensive.

Good luck

HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
hobbe Sat, 09/22/2012 - 04:01

Hi

Since VPN is a concept not a product the answer to your question is always Yes and no but it depends.

VPN = Virtual Private Network

It is a concept that through encryption you will have your "own" network on a link where others might also reside.

Ie just the thing you are asking for.

First of all you can still have the same type of VPN over the microwave-links as you would over the Internet.

no difference except that instead of going over an ISP you doing it over a Microwave link.

Will the links be L1, if so then you can use switches with 802.1ae Macsec.

There are a bunch of  different boxes that encrypts everything that comes in in one end and sends it to another box on the other end and decrypts it there and vice verse. However those boxes tend to be quite expensive.

Good luck

HTH

Waheed123 Sat, 09/22/2012 - 04:37

Thank you HTH. 

Can you tell me how strong is the 802.1ae Macsec encryption ?    can we compare its strongness to 3DES algorism which are on vpns ?

We have cisco 3550-switch and it does not support    802.1ae Macsec .   im right ?

Correct Answer
hobbe Sat, 09/22/2012 - 04:54

Hi

It is AES 128 bit.

AES is a newer encryption standard than the 3DES and afaik it has basically replaced the 3DES as the standard encryption method used for new sites today.

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_overview_c22-591771.html

No the 3550 does not support it.

You will need to go to fx 3560x 3750x and so on.

Good luck

Hope This Helps

Waheed123 Sat, 09/22/2012 - 23:10

Thank you Hobbe, your info is realy helpfull

for this setup only cisco switch is needed ?  or any application is also needed for doing authentication, authorization....?

I mean through the switch we can do   macsec encryption,   authentication authorization ?

do you have any senerio to show the configuration of  trustsec and or Macsec ?   i just want to veiw how it works.  plz share me if u hav any

Correct Answer
hobbe Sun, 09/23/2012 - 00:03

Hi

Yes 802.1ae works with just the switches nothing else is required.

There is no AAA of persons involved its just device port to device port from port x on switch one to port y on switch two.

(actually you can use 802.1ae to also encrypt links between a computer and the switch but this is not the case in this scenario then weg are talking about Trustsec)

Trustsec is a big framework not just 802.1ae and macsec is a part of that framework. So in this scenario they are basically interchangeable.

Here are some scenarios

You have leased 2 racks in a hosting company, but they are some racks inbetween them and you would like to have a secure communications line inbetween your two racks.

You can then run 802.1ae inbetween them and all the traffic on that link will be encrypted.

Another scenario would be

You are in a building and you have access to several floors but inbetween these floors there are other tenants and you want to secure your communication links so that they can not listen in on them.

And ofcourse your own scenario

you have two different buildings and you want to connect them and have an encrypted link between the buildings.

There is one big thing with 802.1ae and that is there can only be layer 1 devices inbetween the switches.

ie you can not use anything that needs to go above that layer. that will break the 802.1ae encryption scheme.

and ofcourse links.

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html

http://www.cisco.com/en/US/netsol/ns1051/index.html

Thanks for the ratings.

Good luck

Hope This Helps

Waheed123 Tue, 09/25/2012 - 09:19

Thanks again. 

Do you mean there is no need for any authentication server in a network for doing switch-to-switch encryption with  macsec ?   if yes i would appreciate if you send me an output for configuring that

The link you attached is for configuring TrustSec. which has really alot of info and that makes me puzzle.   im realy not too good in configuration of Authentication....

one think else,  do you have any reference where it shows a live  Cisco ACS for windows configuration outputs ?  i m really in need of that.  i will purchase if availble.     i dont like pdf docs which are availble on cisco website, it cannot help me

Actions

Login or Register to take actions

This Discussion

Posted September 22, 2012 at 3:34 AM
Stats:
Replies:6 Avg. Rating:5
Views:854 Votes:0
Shares:0

Related Content

Discussions Leaderboard