Brocade is adding IPsec and MACsec encryption to its enterprise routers and campus switches to address the increasing demand to secure data everywhere, from the LAN to the WAN and the cloud.
Brocade introduced new port modules for its MLXe router/switch chassis that support Layer 3 IPsec encryption and Layer 2 MACsec encryption inline and at wire speed. The company also added MACsec encryption to its FastIron campus switches, starting with the ICX-6610.
The IPsec encryption on the Brocade MLXe will allow enterprises and cloud providers to encrypt data transiting routed networks, including the WAN, without an external appliance or specialized chassis module. The MACsec encryption will allow enterprises to encrypt data from the campus access layer to the network core.
The combination of IPsec and MACsec encryption gives Brocade an end-to-end security capability, said Bob Laliberte, principal analyst with Milford, Mass.-based Enterprise Strategy Group. "Right now all the research we're doing points to network security being a top priority of IT organizations. This provides encryption at different layers, not just in the external network and the DMZ, but also internal to the organization," he said.
With the new Brocade MLXe port modules, an enterprise can protect data at Layer 2 from the access layer with MACsec encryption, decrypt the data at the MLXe core, then re-encrypt it with IPsec before sending it over a routed network, he said.
More on network security and encryption
Silver Peak enhances encryption on WAN optimization appliances
Can next-generation firewalls detect encrypted malware?
The six ways hackers break SSL encryption
Best encryption products of 2013
Enterprises and cloud providers are clamoring for ways to encrypt data in more places on the network in light of high-profile security breaches and revelations about the U.S. National Security Agency and foreign intelligence agencies trying -- and succeeding -- to penetrate enterprise network security.
"We still need to encrypt across the public network, but there is also a recognized need that even links that were thought of as private links -- like MPLS purchased from a provider or private fiber between data centers -- must be encrypted," said Daniel Williams, director of product marketing at Brocade. "Also, there is an increasing need to do bulk encryption at the network link layer."
IPsec and MACsec encryption on the MLXe address these requirements, he said. This encryption can enhance privacy by obscuring even the metadata that some malicious hackers and intelligence agencies can typically gather from data encrypted only at the application layer via SSL, he said.
Inline encryption on the network port
Inline IPsec encryption on the MLXe line cards differentiates Brocade's approach from competitors, Williams said. Other vendors either offer a standalone appliance or a dedicated service module for a chassis. Encryption on the Brocade MLXe modules eliminates the cost of a second device or component, removes a secondary level of configuration, and helps the company deliver these encryption features at wire speed, he said.
"We're seeing networking vendors thinking creatively about how they can continue to leverage and use their PHY/MAC hardware assets for defensible and sustainable differentiation and value," said Brad Casemore, research director at Framingham, Mass.-based IDC. "In this context, baking security into the mix is a logical move."
The new MLXe line cards include a new 20-port 10 Gigabit Ethernet (GbE) module with 128-bit MACsec encryption at wire speed, which enables end-to-end, hop-by-hop Layer 2 encryption to and from the access layer ICX-6610 switch. It will be available in mid-summer.
The other module is a 256-bit IPsec device with 4 GbE ports and 4 10 GbE ports. The module provides 44 Gbps of IPsec at wire speed, which translates to more than 1 Tbps of wire speed IPsec encryption on the largest MLXe chassis, Williams said. The IPsec module will be available near the end of this year.