Vendors often are using security certifications to pretend more “certified” security than actually present. Two of the most misused certifications are FIPS and Common Criteria. It is not accidental that FIPS- and Common Criteria-certified products have proven to provide less security than necessary. There are some certifications that actually deliver what they promise: Certified security. One of them is the certification by the German “Bundesamt für Sicherheit in der Informationstechnik (BSI)”.
Certifications, be that FIPS, Common Criteria, BSI or others, are only granted for certifiable configurations. Only the operation of the device in such a configuration is certified.
Is payload data encryption a sufficient protection?
In most cases not. Pure payload encryption can provide data confidentiality, if done properly. It can however not provide the communications security that is needed for network security. Communications security is based on five main characteristics:
Without a secure encryption device the keys are not secure. Without secure keys the encryption is not secure. Without authenticated encryptionn and additional authenticated data the network is not secure. The additional network traffic obfuscation ensures that tapping of the network will not provide any usable information about the network activity.
While for datacenter interconnect and VPNs between sites these requirements can easily be met, remote access depends on the capabilities of the access device and is subject to different criteria.
Networks are unsafe. This is true for optical networks as well as for all other wired and wireless networks. It is actually quite easy to find all the tools and instructions needed to attack a network. A simple search on the Internet will provide you with the necessary information. Without encryption networks passing public ground are unsafe. It is thus not a question if encryption is needed, it is only a question which encryption approach is the most efficient and the safest. The encryption itself however does not secure the network. Network security requires a combination of replay protection, integrity protection, authenticated encryption and traffic flow security.
The lower the layer, the more comprehensive the protocols that can be encrypted and the more efficient the protection and the processing. Only encrypting at layer 2 provides the efficient encryption of all network data while maintaining a maximum of network compatibility. The encryption of the entire bitstream at layer 1 reduces the network compatibility to a minimum and thus is used only for direct optical fiber links (dark fiber or xWDM). A typical use case is the securing of datacenter interconnects (DCI). Complexity, overhead and cost of encryption on the different layers differ substantially. The usage scenario and the business requirements should therefore be the determining factor for the selection of the encryption layer.