How to secure enterprise network and data bases from ransomwares, hackers and other business critical threats?


Current threats for enterprises include typically ransomware, ARP poisoning, MiTM eavesdropping, APT etc. threats. These threats can be infected from single email or malicious link and spread fast in company network (LAN). Current commonly used security methods include 24/7 monitoring, firewalls, virus software, VLAN segmentation etc. Typically enterprises base their security actions on network and anomality monitoring with SOC and other measures.

Still current security methods does not prevent these threats to get infected to enterprise LAN. Next Generation Encryption (NGE) technology offers new security layer which legacy IP-security tools can not provide against these threats.

MACsec is a 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

Securing an enterprise LAN segment with MACsec prevents ransomware infections and APT and ARP attacks against MACsec secured network segment.

XXLSEC Multiparty Protocol (MPP) based MACsec keying technology is a drop-in solution to any enterprise network to create MACsec based layer-2 encryption and authentication, which prevents typical enterprise network threats and vulnerabilities.

MACsec key management

Implementing MACsec has been problematic becaus handling the MACsec keys has been slow, manual and expensive. Some vendors offer MACsec keying capable network switches, which means scaling the solution can be very expensive.

XXLSEC Multiparty Protocol based key mangement creates full MACsec capable LAN + cloud security with agile and scalable key management to any current enterprise infrastructure.

Why cryptography as security element?

Implementing MACsec means layer 2 encryption implemented to enterprise network. This creates deeper, wider and stronger security than adminstrative tools and firewalls. Since MACsec is layer 2 encryption, all vulnerabilities that IPsec or other network segmentation tools do not protect, are covered with MACsec. IEEE802.1AE is a standard for MACsec and it has been developed specifically to meet modern threats. The first standardization was 2006 and the latest update 2017.

Authenticate everything –
towards Zero Trust

MACsec offers not only encryption but also it automatically authenticates all end points in the company network. This authentication process does not allow any third party device access the network. Thus all possible rogue actors can not intercept or inject anything malicious to the network. MACsec with XXLSEC key delivery technology enables zero trust fundaments deployed in enterprise networks.

Zero Trust Architecture (ZTA) is a new future targeting collection of guide lines, requirements and fundaments for enterprise network and IT infra security, defined by NIST800-207. XXLSEC MACsec security solution enables organisations to fullfil these requirements.

Cost efficiency

Normally separating network segments requires a lot of physical cabling and labor which cost a lot. Also deploying MACsec typically means also investing into new network switches and key management services. Scaling those switches is expensive especially in large network instances. MACsec with MPP keying is cost efficient and easy way to install MACsec into current networks without investing to new switches, cabling or IT personnel.

With XXLSEC solution there is no need to change current infrastructure. Just deploy the XXLSEC multiparty computation based key management system.

MACsec vs IPsec and TLS/SSL

Image

MACsec is a more secure cryptographycal method and technology than IPsec and TLS/SSL based security in enterprise network segments. One fundamental problem in current unsecured LAN deployments is that lateral movement, unauthorized access and MITM is possible in the networks because no layer 2 encryption and authentication of the end points. Enterprises use a lot of efforts to authenticate the users, but not their computers. Also application level encryption does not protect lateral movement in LAN networks. Layer 2 cryptography prevents APT attackers and malwares access to enterprise networks.

Image

XXLSEC MACsec Key Management -
Multiparty Computational (MPC) enterprise security solution

Image

Network Vulnerability Mitigated

Image

Example of MACsec secured enterprise WAN, LAN and cloud network architecture

Image