When Cisco needed to showcase their newest Borderless Network capabilities and demonstrate MACsec technology at work, they looked to Net Optics. Director xStream Pro generates live statistics from any network segment even at ultra-high data volumes. And since downtime isn’t an option, they chose the HD8 Fiber Tap for its ability to deliver full-duplex monitoring of 10G networks without introducing a point of failure. http://www.netoptics.com
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cisco Systems Chooses Net Optics Director xStream Pro™ and HD8™ Taps to Demonstrate MACsec Security Protocol
1. Partner I Solution Brief
Cisco Systems Chooses Net Optics Director xStream Pro™
and HD8™ Taps to Demonstrate MACsec Security Protocol
When Cisco needed to showcase their newest Borderless Network capabilities and demonstrate MACsec
technology at work, they looked to Net Optics. Director xStream Pro generates live statistics from any network
segment even at ultra-high data volumes. Since downtime isn’t an option, they chose the HD8 Fiber Tap for its
ability to deliver full-duplex monitoring of 10G networks without introducing a point of failure.
What is MACsec?
Vulnerability at the access edge is one of today’s most urgent security challenges.
Now, in a convincing demonstration at the 2011 Cisco Live trade show, Cisco
used its own switches, along with Net Optics’ Director xStream Pro and
High-Density HD8 Fiber Taps, to show how its MACsec technology is vital
to protecting data in motion by maintaining data encryption and integrity in
the LAN. The demo contrasts the vulnerability of data traveling between
network switches—both with and without MACsec.
MACsec refers to the capability of encrypting data
communications between a switch and any attached
device—most importantly communication on wired
LANs. MACsec (MAC for Media Access Control; sec for
security) is the brainchild of the Institute of Electrical
and Electronics Engineers (IEEE). Known as Security
Standard 802.1AE, MACsec is the industry’s new best
practice for ensuring data integrity when it comes to
independent media access. MACsec is designed to
be deployed in conjunction with traditional, higherlevel encryption protocols such as Secure Sockets
Layer (SSL) and Secure Shell (SSH) to enhance
security on LANs.
Today, authentication alone cannot guarantee the safety of LAN data. Although
physical security and end-user awareness remain important, many instances and
locations (for example, remote offices and public access) demand greater LAN
fortification. One of the promising answers is MAC Security, or MACsec—part of
the Borderless Network Integrated Security Features providing superior layer 2
defense against man-in-the-middle attacks such as MAC, IP, and ARP spoofing.
Net Optics Solutions Help Validate and Dramatize the Necessity
of MACsec to Cisco Live Visitors
How does MACsec bolster Borderless
Network security?
To show how its IOS MACsec software defends LAN data integrity, Cisco used
its 6500 Switches, employing Cisco Protocol for MACsec-based wire-rate hopto-hop layer 2 encryption. MACsec’s layer 2 capabilities can identify and block
most threats that come from behind the firewall (also known as insider threats).
Also used in the demo are the Cisco Catalyst 3500 and Catalyst 4500 family of
switches. By using Director xStream Pro, it is possible to demonstrate encryption
compliance and validate the proper deployment. The 3500, which does not
incorporate MACsec, enables contrasting of encrypted and unencrypted data—
the main point of the demonstration.
Used between LAN endpoints, MACsec enables each
packet on the wire to be encrypted via symmetric
key cryptography. As a result, communications
cannot be monitored or altered anywhere on the
wire; nor can anyone directly intercept traffic on the
line that data travels on. MACsec is one of the most
significant advances in network security, enabling
confidentiality and identity-based access control at
the network edge.
Cisco Live Demo, Tapping Traffic Between Cisco Switches With and Without MACsec, Shows Its Dramatic Impact on Security
Cisco 6500 Series Switch
Cisco 6500 Series Switch
W S-C 6 5 0 4- E
Cisco 6500 Series Switch
W S-C 6 5 0 4- E
1.7 in.
W S-C 6 5 0 4- E
1.7 in.
1.7 in.
Net Optics 10G Fiber Tap HD8
A
B
1
2
A
B
1
2
A
B
1
2
A
B
1
2
A
B
1
2
A
B
1
2
A
CATALYST 3550
B
1
2
A
B
1
2
Cisco 3500 Series Switch
MACSec Encrypted Traffic
Unencrypted Traffic
Net Optics Director xStream Pro
Cisco and Net Optics in Action at Cisco Live 2011 The diagram shows Cisco 6500 switches across the top, using MACsec technology to encrypt
Layer 2 traffic between Cisco’s own devices. Initially, traffic is unencrypted, with Cisco then creating a tunnel to perform the encryption. The dashed
lines represent encrypted traffic. The solid lines represent unencrypted traffic. This makes the point that without MACsec technology, this traffic
remains unencrypted and vulnerable to intrusion and compromise.
2. Cisco Systems Chooses Net Optics Director xStream Pro™
and HD8™ Taps to Demonstrate MACsec Security Protocol
Partner I Solution Brief
Cisco chose the compact Net Optics HD8 Fiber Tap for its ability to deliver
full-duplex monitoring of 10 GigaBit networks with 100 percent traffic
visibility, including layer 1 and 2 errors. Requiring no power, the Net Optics
Tap integrates smoothly with Cisco products and maintains permanent
access ports for monitoring tools without introducing a point of failure or
interfering with network connections.
“We chose their Director xStream Pro and
The newest in Net Optics’ arsenal of security solutions, Director xStream Pro
is a high-performance engine purpose-built for the demands of the 10G
environment. Cisco needed Director xStream Pro’s ability to generate and
make visible live statistics coming from the switches. Its ability to handle
ultra-high data volumes was also important for purposes of the demo.
LAN with MACSec—and without it,” says a
HD8 Fiber Taps because we felt they would
offer us the support needed to show the value
of our newest MACsec technology: This is your
Cisco Technical Marketing Engineer
MACsec and Director xStream Pro Work Together
as a Permanent Compliance Solution
The ability of Director xStream Pro to capture, display, and document the
encryption of LAN traffic is a major benefit to companies challenged with
regulatory compliance. Director xStream Pro not only verifies that traffic
is encrypted, it allows export of statistics into spreadsheets and other
documentation—easing compliance verification for auditing purposes. In
addition, Director xStream Pro alerts and exposes in real time any problems
that might arise with MACsec encryption, allowing users to take instant
action and protecting the value of the MACsec investment.
MACsec Encrypted Data Stream
Unencrypted Data Stream
Net Optics Helps Cisco Put the Proof Before Viewers’ Eyes
With MACsec-enabled devices, packets are encrypted on exiting the
transmitting device and decrypted on entering the receiving device. They
are “in the clear” only within the respective devices. Once the Net Optics
HD8 Taps have passively gathered data on the connections, the demo sends
data transmissions from the Taps to Director xStream Pro, which collects and
displays it clearly in its user interface.
Watching the encrypted traffic, viewers can see that traffic is there, but
they cannot tell what type it is—whether it is Web traffic, VoIP, video, IPv4
or IPv6, PCP, TCP, UDP or ARP. This proves that the MACsec security function
is working. Traffic emanating from the 3500 device, which lacks MACsec
technology, clearly reveals its types and protocols—and even its payload
contents if it is not using a higher-level encryption protocol such as SSL
or SSH. The demo shows how MACsec software protects the network
from inside—and Director xStream Pro can also reveal the payload. With
encryption and decryption performed locally, it is easier to deploy IT insertion
points for IDSs, anti-virus protection, load balancing and traffic management.
MACsec’s strong encryption at layer 2 also supports data confidentiality,
while integrity checking helps assure that no data modification takes place
during transit.
Summary
Net Optics Taps and Director xStream Pro are helping Cisco offer irrefutable
proof that the MACsec-enabled software in its switches helps secure a
network from the inside on a hop-by-hop basis. MACsec also enables each
hop to act as an IT insertion point for security purposes. Using MACsec, IT
departments can now monitor and inspect internal LAN traffic. This capability
is fundamental to Cisco’s Borderless Security Architecture, part of the
Borderless Network vision. Now, Net Optics TAPs and Director xStream Pro are
helping Cisco prove how vital MACsec is to the confidentiality and integrity of
the LAN.
Net Optics Director xStream Pro’s Live Data
Statistics feature enables Cisco to demonstrate
the secure exchange of data between switches.
As shown in the illustration, Director xStream Pro’s
GUI makes the contrast between MACsec encryption
and unencrypted data dramatically visible. The
display shows encrypted traffic as unreadable,
while unencrypted traffic types are easily identified.
Director xStream Pro’s Live Data Statistics capability
also lets users import statistics into a SQL database
or spreadsheet for compliance support and instant
insight into network status and health.
5303 Betsy Ross Drive
Santa Clara, CA 95054
Tel: +1 (408) 737-7777
www.netoptics.com
Net Optics® is a registered trademark of Net Optics, an Ixia company.
Copyright 1996-2013 Net Optics, an Ixia company. All rights reserved.
Additional company and product names may be trademarks or registered
trademarks of the individual companies and are respectfully acknowledged.