You don't have to sacrifice speed or bandwidth to adequately secure your carrier-grade enterprise WAN. Not, at least, according to Certes Networks (formerly CipherOptics). The network encryption vendor's latest addition to the Variable Speed Encryptor (VSE) product line, the CEP10G, is a network encryptor that can secure traffic traveling up to 10 Gbps.
Why might you consider Certes Networks' encryptors?
The problem that Certes Networks solves is this: Most network security appliances -- like firewalls, VPNs or network encryptors -- are standardized on Ethernet speeds of 10 Mbps, 100 Mbps, 1 Gbps and 10 Gbps.
"This is all well and good if you happen to have a WAN link that’s exactly that line rate," said Jim Doherty, Certes Networks' chief marketing officer. "The problem is there are a lot of different WAN speeds that you can provision a link for."
He went on to explain that if enterprises or carriers have WAN links that don't match up to their security devices, they are forced to either over purchase or under perform for the bandwidth they're paying for. In example, if you have a 50 Mbps link, you either have to overbuy for a 100 Mbps appliance or you have to underperform and get 10 Mbps. Neither option is ideal. With Certes Networks' VSE line, which now reaches up to 10 Gbps, enterprises and carriers can adjust their encryption speeds to match their WAN link provisions. (The CEP10G specifically offers 2.5, 5 and 10 Gbps throughput options.)
At the same time, Certes Networks touts a no-growth penalty license, where customers buy a physical network encryptor and a one-time performance license that matches their bandwidth. When you need an upgrade, rather than buying another license for the higher throughput, Certes Networks will only charge you the difference between what you initially purchased and what you grow to.
"We’re not going to hit you every time you have to increase your bandwidth," Doherty explained. "We actually just charge you as if you had purchased that from the very start. So now the customer can come in and buy exactly what they need with no real concern that, 'Well, if we grow tomorrow then are we better off financially buying it now so we don’t have to suffer a penalty for an upgrade?' We made all of that go away."
How does the CEP10G network encryptor compare to VPNs?
Unlike traditional IPsec VPNs or SSL VPNs, the CEP10G network encryptor and all VSEs are tunnel-less. The products are functional across Layer 2, Layer 3 and Layer 4 and use one group policy. Because of this, a network security appliance no longer has to look up X number of rules for every packet that goes through.
"With our group encryption method, we can take any full-mesh network and cover it in a single policy because we’re not doing all these point-to-point links. So there’s this massive policy compression that enables our networks to go faster [than anyone else's]," Doherty said.
Does this pose any security issues? Research Vice President for IDC's Security Products service Charles Kolodgy says no: "Having one policy, as long as you can separate the data using the key management, is probably OK…. If there's no separation for the data between different users or different streams, that becomes just plain old bulk encryption, and they're doing a lot more than just bulk encryption."
What Certes Networks is trying to do is group its multi-key management into one stream so that you're not wasting bandwidth, Kolodgy explained.
The fact that Certes Networks uses hardware network encryptors makes its solution more secure than software solutions like SSL VPNs. Using hardware also allows the vendor to achieve industry-leading encryption speeds, according to Doherty.
Who needs to encrypt at 10 Gbps?
The CEP10G VSE is really meant for carriers or very large enterprises. Large banks or manufacturing companies like Amazon that have distributed networks and process a lot of information will need speeds like 10 Gbps.
"I don't know how many companies use 10 Gbps right now, but the issue is that you always have to buy ahead.… Even though you might not need 10 Gbps right at this moment, there will be a time when you'll need it," Kolodgy said. He went on to explain that as companies struggle to procure enough bandwidth for video, unified communication (UC) technologies will fuel the need for faster gigabit Ethernet.
CEP10G appliances will be available in limited quantities starting April 2011 and will be generally available in June 2011.
Dig deeper on VPN design