In my last blog, I talked about the proliferation of IT services at the digital edge, how it creates new cybersecurity challenges, and what digital leaders are doing to overcome those new challenges. I focused on the promise of MACsec technology to enable encrypted multi-domain data transport, and how the advent of WAN MACsec could make this groundbreaking encryption methodology viable for use on a global scale.
In this post, we’ll expand upon that idea with a deeper look at why MACsec can be beneficial for federal agencies that need to operate at the digital edge without exposing mission-critical data to cybersecurity risks. Then, we’ll look at how Cisco and Equinix are partnering to turn the dream of WAN MACsec on a global scale into reality.
Enable Cloud Networking with Equinix Fabric
Connect digital infrastructure and services on demand at software speed via secure, software-defined interconnection.
WATCH A DEMOThe data center consolidation and Cloud Smart initiatives have taken flight
A growing number of federal agencies have begun to execute their digital transformation strategies. In doing so, they are discovering that extending the boundary of agency networks to interconnection platforms like Equinix may require an extensible security framework that will capture the extended demarcation of these new geo-disparate sources of cloud and other services.
Shifting to an IT architecture built around commercial colocation facilities can help agencies take a cloud-adjacent approach to hybrid multicloud. This means agencies can place their mission-sensitive data sets in colocation facilities that are also home to on-ramps to major cloud service providers. This allows federal agencies to keep control and security over their on-premises workloads, while also taking advantage of on-demand access to public cloud services whenever they need them.
Shifting to cloud-adjacent infrastructure can accelerate IT modernization. However, high-speed connectivity between different colocation/interconnection facilities is also an important consideration, especially with so many agencies having a global mission scope. Agencies are increasingly learning that IPsec alone may not be up to the task.
Although IPsec is still highly valued by network engineers for its longstanding flexibility and encryption capabilities, it’s arguably not the best option for use cases involving high-speed links, given the performance “taxation” associated with it. As E-Line services become more prolific, extending both nationally and internationally in contiguous fashion, they have given agencies new Layer 2 transport options that provide ever-increasing capacity along with inherent security. As a result, these services have become the standard for extending traditional agency networks to digital interconnection platforms like Equinix to exploit multi-vendor interoperable digital infrastructure on a global scale.
Ethernet services continue to expand in exponential fashion. The available bandwidth of physical ports and logical Ethernet Virtual Private Line (EVPL) circuits is increasing: 100Gbps interfaces are now commonplace, while 400Gbps interfaces are also starting to be deployed in some places. With this greater capacity comes greater potential for router scalability and performance.
As faster Ethernet speeds become the norm and agencies find themselves having to move larger workloads generated by hybrid multicloud and intercloud architectures, IPsec encryption—traditionally associated with IP/internet transport that traverses an unpredictable path between endpoints—becomes far less efficient. A more predictable Layer 2/Ethernet path with “wire-speed” encryption is more often the desired solution for these increasingly larger mission-critical workloads.
WAN MACsec encryption can significantly enhance security when leveraging an interconnected multi-vendor digital infrastructure platform
With an ever-increasing need for speed, capacity and security, shifting to a globally extensible Ethernet/MACsec construct can readily accommodate these requirements. With the relatively recent development of WAN MACsec, coupled with Equinix Fabric™—an on-demand, varied-capacity EVPL service providing portal-based interconnectivity between essentially all Equinix metro locations globally—agencies are now able to take advantage of inherent operational efficiency and regulatory compliance benefits.
Cisco has played a leading role in introducing a growing number of products in their portfolio that readily support WAN MACsec encryption, providing the ideal customer edge gear solution for Equinix customers. This enables a contiguous WAN MACsec encrypted session from the government premises location to any number of integrated digital service provider endpoints on Equinix Fabric. This is vital at a time when federal agencies increasingly need to align with multiple cloud providers across various public cloud availability regions. Cisco’s white paper from 2016[1] is the seminal publication covering WAN MACsec and its common deployment use cases; the company has been working to drive expansion and innovation in WAN MACsec technology ever since.
Cisco and Equinix partner to show how MACsec can be enabled on a global scale
One example of the innovation Cisco is driving in the WAN MACsec space is its partnership with Equinix. The goal of this partnership is to demonstrate the efficacy of WAN MACsec over Equinix Fabric, our software-defined, E-Line suite of transport services (including EVPL, EPL, and others to follow). Our recent proof of concept demonstrates how pairing Equinix Fabric, specifically the EVPL service, with Cisco WAN MACsec capabilities soundly demonstrates how federal agencies can simultaneously address two key aspects of their IT modernization efforts:
- Enabling regionally distributed digital infrastructure with easy access to hundreds of potential digital service provider partners.
- Ensuring secure, high-speed data traffic with those partners on a global scale.
The global footprint of Platform Equinix and the software-defined interconnection and Ethernet capabilities of Equinix Fabric make Equinix the ideal partner to support the work Cisco is doing in the WAN MACsec space. This is a key time for our mutual federal customers as they transition to the cloud, with many agencies thinking about how they can best extend line-rate encryption end to end, while gaining an edge presence closer to their applications in the cloud, which Equinix is best in class in providing. This proof of concept is an important step toward allowing those agencies to confidently deploy WAN MACsec encryption over Equinix Fabric to meet any mission requirements.”- Craig Hill, Distinguished Architect, Cisco Systems
As shown in the graphic below, the testing was performed between Equinix facilities in Ashburn and Miami. A Cisco platform was running in each facility, with Equinix Fabric enabling Ethernet transport between the two facilities. Rather than focusing on performance at this stage, the purpose of the testing is to demonstrate that Equinix Fabric can successfully pass encrypted data between the two facilities. Our combined testing team must ensure many different criteria have been met before we can truly call WAN MACsec on Equinix Fabric a success. Those criteria include:
- Establishing a secure MKA session.
- Encrypting traffic over the data plane using MACsec.
- Validating WAN MACsec properly adjusted the interface MTU size, accounting for additional overhead the MACsec header appends to each packet.
- Successfully running advanced services securely over MACsec.
WAN MACsec on Equinix Fabric helps agencies maximize data value
While the results of the testing are still pending, we are confident they will represent an important step forward for WAN MACsec technology, and a new milestone in the partnership between Equinix and Cisco. In the future, we believe Equinix Fabric customers will be able to take advantage of Cisco WAN MACsec technology for encrypted, high-speed interconnection across our entire global footprint.
This could be particularly beneficial for federal agencies that need to make the most of their data by quickly and securely sharing it with their commercial partner ecosystem and other federal agencies, wherever it’s needed.
To learn more about how Equinix can help meet the unique IT modernization requirements of federal agencies, contact us today to schedule a Digital Strategy Briefing. Our team of experts will analyze your agency’s mission and strategic objectives, and then help you outline the steps required for an effective digital strategy.
[1] Cisco, “Innovations in Ethernet Encryption (802.1AE – MACsec) for Securing High Speed (1-100GE) WANDeployments”. Craig Hill, Stephen Orr. 2016.