Encryption at Several Layers

© 2004 Cisco Systems, Inc. All rights re

Various methods for VPN protection are implemented on different layers. Providing privacy and other cryptographic services at the application layer was very popular in the past, and in some situations is still done today. For example, Secure Shell Protocol (SSH) offers Internet-based data security technologies and solutions, especially cryptography and authentication products.

The Internet Engineering Task Force (IETF) has a standards-based protocol called Secure Multipurpose Internet Mail Extensions (S/MIME) for VPN applications generated by a number of communication system components (for example, message transfer agents, guards, and gateways).

However, application-layer security is application-specific and protection methods must be implemented anew in every application.

Some standardization has been successful at layer four (transport) of the OSI model, with protocols such as Secure Socket Layer (SSL) providing privacy, authenticity, and integrity to TCP-based applications. SSL is popular in modern e-commerce sites, but fails to address the issues of flexibility, ease of implementation, and application independence.

Protection at lower levels of the OSI stack, especially the data-link layer, was also used in communication systems of the past, as it provided protocol-independent protection on specific untrusted links. However, data-link layer protection is expensive to deploy on a large scale (protecting every link separately), therefore allowing a "man-in-the-middle" attack (hijacking a network session) on intermediate stations (routers).

Because of the limitations discussed, layer three has become the most popular level on which to apply cryptographic protection to network traffic.

0 0

Post a comment