Different from the flow of entertainment, at the beginning of the birth of the data flow corresponding to enterprise applications, security has become the first problem that CIOs should consider to solve. After all, key and sensitive information supports various major decisions of the organization. If the confidentiality, availability and integrity of information are challenged, the enterprise's data flow would rather be closed than transmitted at risk. With the increasing data scale of enterprises, the security capability of public cloud is also improving in coordination with the performance requirements. Recently, AWS cloud direct cloud connectivity now provides IEEE 802.1ae MAC security standard (macsec) encryption for 10Gbps and 100gbps private connections at specific sites to protect users' high-speed private cloud connections.
It relies on GCM-AES-128 to provide integrity and confidentiality, and operates through Ethernet. It can protect all traffic in the LAN, including DHCP and ARP, as well as traffic from higher-level protocols. IEEE 802.1X-2010 defines a companion protocol, MACsec key agreement (MKA), which provides key exchange and allows mutual authentication of nodes who want to participate in MACsec connection Association. On Linux machines, this is in WPA_supplicant Implemented in supplicant. Wpa_supplicant uses some authentication tokens (pre shared key or username / password pair, similar to the authentication mechanism used in WiFi) to establish a session with the authentication server, which can be a switch or a Linux host running hostapd. After authentication, the key is generated and exchanged (through the encrypted channel) and used to configure the MACsec secure link.
This is followed by MACsec SecTAG, which contains information to help the receiver identify the decryption key and the packet number (for replay protection). After the SecTAG is the payload that can be encrypted and the ICV (integrity check value) generated by GCM-AES, which ensures that the data packet is indeed created by the node with the key and has not been modified in the middle of link transmission.
Because AWS's Direct Connect service itself is a transmission service established for dedicated line networks, in addition to solving the concerns about network performance, users need to solve the problems of authentication and replay attacks at the security level. If the sd wan professional services provider assisting in providing Direct Connect services is unreliable, there is actually such a potential threat. After the introduction of MACsec encryption, the above concerns can be well resolved.
After solving the depth of security function, in the past, to solve the problem of data transmission at the speed of several GBbps between the user's private network and AWS, multiple IPSec VPN tunnels need to be aggregated in order to break through the throughput limit of using a single VPN connection. The complexity of such solutions increases operational risk and makes high-speed connection protection over 10Gbps less attractive. After the introduction of MACsec support, AWS WS Direct Connect can now provide native, near line rate point-to-point encryption for 10Gbps and 100gbps private connections to ensure the continuous protection of data communication between AWS and users' private networks, data centers, offices or host hosting facilities.
Users involving sensitive personal information such as edge computing in financial services or health care, as well as high bandwidth workload customers who need to comply with strict security requirements (such as manufacturing, transportation and public utilities). As an sd wan managed service provider, Gosdwan strongly recommends using more than one connection at the AWS direct connection site to ensure high service availability against device or host hosting level link failure. Gosdwan also recommends that you use the elastic failover toolkit test function to comprehensively switch and drill your configuration before going online. Contact us now!
