How to transform a VPN into a fully protected network

VPN and fiber optic networks are not per se inherently secure. Hence, a company sharing its business between two or more office locations has to allocate extra resources to protect its IT network. For this security measure and the protection of sensitive company data, two complementary devices are required: Layer-2 encryptors and hardware security modules.

By Andreas Curiger

scheme for the protection of an internal network with multiple locations
Scheme for the protection of an internal network with multiple locations


‘Private’ does not automatically indicate ‘protected’ or ’confidential’. The word ‘private’ just means the opposite of ‘public’. This also applies for a virtual private network VPN, which creates a kind of an intranet via a public network by integrating external sites into the company network. ‘Private’ in the context of a VPN hence means just that the private network will be logically separated from the public network. However, there is often no explicit protection against illicit access as encryption is not mandatory. The same sort of privateness applies to fiber optic networks: data might be  illicitly tapped by organizations willing to invest some effort to get after it.

VPN: often no explicit protection

Hence, managing a company based in multiple locations implies protecting sensitive data in transit.

But how can that be accomplished? During transmission, data might be intercepted anywhere, and there are servers on which various processes might let things go wrong. As such, data will not adequately be protected. What’s more, data protection should not lead to a decrease of transmission speed nor data throughput.

The most effective measure against data theft is encryption.

Finally, security is also a matter of interaction of particular mechanisms and their respective implementation. The following principles will help to protect data effectively:

Centurion link and mesh encryptor
A net encryptor is one of two elements that makes an internal net really secure.
  • The most effective measure against data theft is encryption.
  • Depending on the network topology, data can be encrypted on different layers. The lower the layer, according to the OSI model, the more efficient will be encryption.
  • For corporate networks, layer-2 encryption is most efficient. Data throughput and bandwidth are marginally restricted, and also latency is hardly affected.
  • Encryption in transit is not enough. The start- and endpoints of transmission are precarious points of attack and must be protected too.
  • The lengths of the involved keys should be maximized; the corresponding algorithms should be publicly approved and extensively be tested in practice - in other words, unbreakable according to the state of the art.
  • To generate secure keys, true random numbers with maximum entropy need to be generated – in a dedicated piece of hardware rather than by software.
  • If only sensitive data is encrypted, an attacker could easily extract peripheral data or so-called metadata. This might be prevented by masking the metadata, i.e. by sending and encrypting a continuous stream of data.
  • The encryption keys must be stored securely. This means in a location separate from other data; best in a separate device, a hardware security module (or HSM for short).
Securosys HSM X-Series
A Hardware Security Module (HSM) serves as key vault for encryption keys - for example for a secure internal network.


Distinct Hardware for keys is needed

An effective choice of a security architecture implies the following considerations:

  • A software-only solution is not enough: software alone is not suitable for key generation, just because software is deterministic by nature, hence true random bits cannot be generated. Under such circumstances it might be possible to hack the keys. And as we all know, software always has bugs.
  • Distinct hardware for key generation and storage: For the encryption keys to be safe, they need to be protected against illicit access in an own, dedicated hardware unit.

Encryptor and HSM for security

In order to be safe during transport and storage, sensitive data needs to be protected with two additional elements:

  • a secure layer-2 encryptor
  • a secure HSM
  • both from a trusted manufacturer
  • including a true random number generator
  • proven cryptographic algorithms
  • and corresponding keys with maximum entropy

We recommend our Centurion encryptor and our Primus HSM for an optimal protection of your IT network.

The following publications of the scientific correspondent Christoph Jaggi provide a good insight into the world of layer-2 encryption. They have been receiving worldwide recognition.

Market overview:

English version: Layer 2 Encryptors for Metro and Carrier Ethernet, WANs and MANs; Market Overview Ethernet Encrypts for Carrier Ethernet, MPLS and IP Networks

German version: Layer-2-Verschlüssler für Metro- und Carrier-Ethernet, WANs und MANs; Marktübersicht Ethernet-Verschlüssler für Carrier-Ethernet, MPLS- und IP-Netzwerke (Kurzversion)


English version: Layer 2 Encryptors for Metro and Carrier Ethernet; Ethernet Encryptors for Metro and Carrier Ethernet (an Introduction)

German version: Layer-2-Verschlüssler für Metro und Carrier Ethernet; Ethernet-Verschlüssler für Metro  und Carrier Ethernet; die Einführung