There has been a heightened interest in encryption over recent months, largely thanks to the Edward Snowden leaks showing US and British intelligence agencies were pouring their funds into cracking popular kinds of protection. <\/p>\n
Much of the talk has focused on standards approved by the US National Institute of Standards and Technology (Nist), especially the much-derided Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Secure Sockets Layer (SSL) protections have also faced scrutiny, with an OpenSSL flaw causing something of a panic among security professionals. <\/p>\n
Little attention has been given to encryption across routers and switches, however. Thats despite a rise in router malware, such as the Linux-focused Darlloz worm uncovered towards the end of 2013. <\/p>\n
Yet enabling certain kinds of encryption across different points of the network, rather than focusing solely on applications, can provide significant protection from the most advanced of attackers. But many still arent doing this, says Peter Wood, chief executive officer of security consultancy First Base Technologies. <\/p>\n
Theres no question that transmitting information in plain text remains a significant vulnerability in most organisations. As ethical hackers, we often start our client engagements by examining network data and discovering significant information from a simple packet-sniffing exercise, says Wood. <\/p>\n
Peter Wood, First Base Technologies <\/p>\n
Providing layer 2 encryption at the switch and router would make our activities a lot harder, and thus also the criminals life in a real-world attack. Everyone is used to the idea of SSL for web-based transactions, but little thought is given to encrypting internal traffic or indeed to other types of traffic on the internet. <\/p>\n
Encryption of network traffic by a gateway device is seen by many, including Cisco, to be the best way to ensure protection of communications between local networks. Using a gateway means enterprise traffic will be encrypted regardless of protocol and should bring reduced complexity. <\/p>\n
Network-based encryption and application-layer encryption are not mutually exclusive either. They can, and often are, used together to apply two layers of encryption to data traffic. <\/p>\n
Talking specifically about the network, Wood recommends enabling two types of protection: IPsec and MACsec. <\/p>\n
<\/p>\n