08 September 2016
Blogs by author: Peter Negus, Solutions Architect, BT.
WAN encryption is ineffective on private MPLS networks and makes you more vulnerable to a DDoS attack. Here’s what you really need.
Your security situation.
Let me start by saying that encryption does have its place in the grand scheme of things. Unfortunately, the problem is that many people just go for WAN encryption as a sole solution rather than considering the full security picture. That attitude is risky, and in this blog I’ll explain why.
If money grew on trees…
If your money was unlimited, you could take advantage of all the security controls that you could imagine. However, in real life, nobody has unlimited funds, and every security control has a management overhead. This means you must balance the benefit of each security solution against the cost.
And that’s what I’m going to do here, with WAN encryption — measure the benefits against the costs.
What WAN encryption is good for.
So what risks are you trying to mitigate with WAN encryption? It protects against two main threats:
- Monitoring (confidentiality attack) — an attack from outside your premises, at a street cabinet or BT exchange, for example.
- Man in the Middle (integrity attack) — where an attacker pretends to have the same IP address as one of your sites and modifies your data.
But there’s a catch.
The thing is, whilst these attacks are somewhat likely on the internet, they are very improbable on a private IP network such as BT’s IP Connect. Most attackers nowadays are not targeting the WAN. Instead, they go for the weakest link — unpatched end point systems, social engineering, phishing and zero-day malware attacks.
The main problem with WAN encryption, apart from the expense (which I’ll get to in a minute) is that it actually increases your vulnerability to a number of intentional or inadvertent availability attacks. These include:
- DDoS — because the encryption is very processor-intensive, it’s easier to overwhelm the router.
- Time Source Denial of Service — certificates used for encryption have an expiry date. And if you corrupt the system time, you can invalidate the certificate, which results in the encryption failing closed.
- Certificate Revocation List (CRL) Denial of Service — the certificates are checked against a CRL. If the CRL goes down during the certificate check process, then the encryption fails closed.
Can we crack the certificate conundrum?
So, a worthwhile question would be: can we mitigate this certificate problem, and make WAN encryption worthwhile?
Well, you can implement WAN encryption without digital certificates by using Pre-Shared Keys (PSK). But this encryption only works properly with very long keys, not ones that your operations teams can easily remember and type in correctly. Use a short PSK, however, and you might as well not bother. This makes them a complete pain to administer.
WAN encryption is difficult to administer.
Meanwhile, troubleshooting on encrypted networks is a difficult business. I’ve seen a number of networks where the certificates have expired during the night shift and nobody knew what to do. WAN encryption reduces your maximum packet size, and this means that applications often fail during transfer to an encrypted WAN — although there’s no alarm to tell you that this is happening.
Costs can spiral.
WAN encryption hardware is very expensive. It typically doubles the cost of the end router at lower speeds, whilst at 10Gbps it can quadruple the price. Very little commercial encryption hardware operates at 40Gbps or 100Gbps, although it is possible to encrypt point-to-point links on Ciena DWDM multiplexers, as used on our Optical Connect product range.
And if the hardware is expensive then the operations cost is also high. All encryption services on IP Connect are non-standard, and require premium management services. Then you also have higher SLA costs to cover the increased fault liability.
In the new age of cloud services, WAN encryption seriously limits your flexibility. You will need dedicated access links into each cloud supplier, rather than shared connections. And this could turn out to be so uneconomical that it stops you using cloud at all — which would be detrimental for your business.
How to protect your private MPLS networks.
So, if you’re not spending your money on WAN encryption, what should you be spending it on?
My first choice would be Virtual Desktop Instance (VDI) technologies such as Citrix ICA, which encrypt end to end, and prevent the data ever leaving the data centre. My second choice is providing all applications with Transport Layer Security (TLS), which encrypts from end to end.
The other area for investment is systems that actually warn you of infiltration, such as BT’s Advanced Log Retention system. BT’s Ethical Hacking service is another good area to invest your security budget.
Perhaps the most overlooked area of security is people. I recently had a customer who had 127 IT staff advertising themselves on LinkedIn, including the security manager. LinkedIn has become the number-one vector for targeted phishing attacks, and yet it is often totally ignored by IT security professionals. A $5 training session could be more effective than $500,000 of WAN encryption. Perhaps that’s a subject for another blog post…
For now, I suggest heading to our security and risk management page. There you’ll find more information on the products and services that can keep you secure, without breaking the bank.