animind - Fotolia
Brocade has launched in-router data encryption that the company is promoting as a performance-enhancing method for protecting information traveling over a network.
This week the networking company released encryption modules for its MLXe routers. The new technology supports either the IPsec or MACsec industry standards for encryption.
While some experts disagree, Brocade argues that more data can be encrypted faster by having the process occur at the I/O ports of the MLXe rather than on a separate security device.
If heavy data volumes are sent to a security appliance, companies have to add devices in order to handle encryption along with other chores like intrusion detection and running a firewall and anti-virus software. Having more devices increases the complexity of managing security, according to Daniel Williams, a director of product marketing for Brocade.
While Brocade's argument sounds reasonable, performing encryption on multipurpose security appliances is just as effective, Mike Fratto, analyst for Current Analysis, said. "It doesn't really matter."
Security devices like a firewall would inspect the traffic, then drop the authenticated data into a virtual private network (VPN) gateway where it is encrypted, Fratto said. Like Brocade's MLXe module, security devices encrypt using specially programmed chips that work at adequate speeds to avoid becoming a bottleneck.
"This is really a convenience factor," Fratto said of the Brocade module. "You don't have another device doing the encryption."
If set for IPsec encryption, the MLXe can handle up to 44 gigabits per second (Gbps) of data. MACsec encryption can be processed at 200 Gbps. IPsec uses AES 256-bit encryption, while MACsec AES 128-bit. AES is the Advanced Encryption Standard used by the U.S. government to protect classified information.
MACsec is typically used to encrypt data communications between a switch and whatever is plugged into it. The purpose of this point-to-point encryption is to prevent someone from intercepting readable data on that line. IPsec is particularly useful for implementing virtual private networks (VPNs).
An MLXe equipped for router encryption would be well suited for enhancing security in public and private cloud rollouts and in high-performance wide area networks (WANs), IDC analyst Rohit Mehra said. Brocade customers in retail, financial services, healthcare and government would find the Brocade technology a "nice value-add to their broader security architecture."
Other experts worry that having security in network infrastructure could reduce involvement by security pros.
"I'm a fan of having more functionality in routers, but moving what was a dedicated appliance to a line card in a router usually means that the security function is being done by the core infrastructure team and not the security team," Ron Gula, chief executive of network monitoring company Tenable Network Security, said.
Using multiple MLXe modules can increase the data capacity of encryption to 1 terabit per second per router. But very few companies will need to scramble such a high volume of data, Williams said.
"We don't have customers planning on doing that today, but that's where we're heading," he said.
The world is creating vast amounts of digital data. The amount is expected to grow to 40,000 exabytes by 2020 from 130 exabytes in 2005, according to IDC.
A MACsec-capable module for the MLXe starts at $90,000. A module that supports IPsec and MACsec at a maximum data rate of 44 Gbps costs $120,000. The Brocade Netiron OS 5.8 software that enables encryption is provided at no additional cost.
What you need to know about database encryption
What's good, and bad, about P2P encryption
Managing the encryption key