Which network traffic encryption method is right for you?

Security has traditionally been a top priority for CIOs and CTOs for a number of years now, and for good reason. Each day that passes brings an increasing number of threats and malicious capabilities leveraged by hackers in an attempt to steal and snoop mission-critical enterprise information. Whether it’s to protect against these cybercriminals or to simply provide peace of mind, the vast majority of businesses have deployed network traffic encryption to bolster their data protection.

However, there are several options when it comes to this security measure available today, including AES and IPsec algorithms. Each of these comes with its own advantages, and business leaders and technology managers must ensure that they factor in the right considerations to select the best one.

What is AES?
First, let’s examine the Advanced Encryption Standard, better known as AES. TechTarget’s Margaret Rouse explained that this encryption method is a symmetric block cipher put in place in software and hardware to encrypt information. AES is used by U.S. federal groups to protect government information, as well as by other organizations across the globe.

This standard first emerged in 2000 as an answer to the outdated Data Encryption Standard. After extensive research and development, the National Institute of Standards and Technology selected a proposed algorithm that would become the basis for AES.

How does AES work?: 128 vs. 256
There are three block ciphers included in the AES model, including AES-128, AES-192 and AES-256, the most popular of which are AES-128 and AES-256.

“Each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128-, 192- and 256-bits, respectively,” Rouse explained. “Symmetric or secret-key ciphers use the same key for encrypting and decrypting, so both the sender and the receiver must know and use the same secret key.”

“All three AES ciphers provide a high level of data protection that will be effective until 2031 and beyond.”

Seagate noted in a white paper that all three algorithms are ideal for encrypting short messages, computing digital signatures as well as establishing or verifying cryptographic materials. The different block ciphers have caused confusion in the industry – for years now, businesses have wondered if 256 is stronger than 128 because of the number associations. However, NIST has noted that all three AES ciphers provide a high level of data protection that will be effective until 2031 and beyond.

“All three key sizes are considered adequate for Federal Government applications up through Classified Secret,” NIST stated, according to Seagate.

What is IPsec?
Another encryption standard is the Internet Protocol Security framework, or IPsec. Rouse noted that IPsec includes “a set of protocols for security at the network or packet processing layer of network communication.” Before this framework, protection was deployed at the application layer, but IPsec enabled organizations to implement security across the board, without having to adjust each individual user computer when an upgrade or change was needed. Rouse pointed out that IPsec is particularly beneficial when it comes to virtual private networks, where remote users leverage a dial-up connection for access to the private network.

IPsec: AH, ESP, transport, tunnel
Similar to AES, IPsec also offers different choices, including Authentication Header, or AH, and Encapsulating Security Payload, or ESP. AH enables the sender of the data to be authenticated, where ESP authenticates both the sender and encryption in place. These can be used separately, or in conjunction with one another.

TechTarget contributor James Turnbull noted that IPsec also has separate modes for transport and tunnel. In this way, transport mode directly encrypts all traffic between two separate hosts, protecting the data packet. Transport mode does not encrypt the IP header, however. Tunnel mode, on the other hand, establishes a virtual pathway or tunnel between two subnets, encrypting both the payload and the IP header.

“The principal advantage of IPsec is that it offers confidentiality and authentication at the packet level between hosts and networks,” Turnbull wrote.

At the same time, IPsec is disadvantaged in that security largely depends on the protection of public keys – poor key management could spell disaster. In addition, this standard can also be a drag on performance, adding overhead to both the network and application traffic.

Network encryption is a critical part of data protection. Network encryption is a critical part of data protection.

How can I choose?
Now that we’ve explained the inner workings of each option, let’s explore that top considerations decision-makers should factor in when selecting a network encryption method. Some questions to ask here include:

  • What type or level of protection does my business need? AES and IPsec use different methods for securing data, so the type of protection needed with help guide the selection.
  • Does the company strongly enforce the use of robust authentication credentials? Seagate noted that this is particularly important when considering security for data at rest.
  • How will the enterprise manage its encryption keys? This is a considerably key consideration to factor in when examining IPsec security.
  • Will this network encryption work well alongside other security measures that are in place? Protection shouldn’t be counterintuitive – each piece of the security puzzle should fit and work well with each other.

Safeguarding network traffic is paramount in today’s business environment, and network encryption can help protect sensitive data and provide peace of mind for enterprises and their users. Talari offers both 128-bit and 256-bit AES and IPSec to encrypt network traffic within its virtual tunnels, ensuring that you’re able to make the best decision your company’s encryption method.

Categories: Network Reliability, Business Continuity

Tags: ,