Introducing EDGE-to-EDGE encryption

Author. Fabio Streun     Sep 25, 2024
Introducing EDGE-to-EDGE encryption

With Anapaya EDGE, you connect your network to the SCION Internet and benefit from the safe and reliable SCION architecture. It provides a secure entry point to the SCION Internet, reducing your network's exposure to threats and ensuring business continuity even during network disruptions.

We are pleased to announce the launch of EDGE-to-EDGE encryption, a new Anapaya EDGE security feature designed to enhance the protection of your network traffic. With EDGE-to-EDGE encryption, you can ensure confidentiality and integrity of your sensitive data as it traverses the SCION Internet. This feature is integrated seamlessly with the other features offered by Anapaya EDGE and requires minimal configuration to set up.

EDGE-to-EDGE encryption is available for Anapaya EDGE Pro customers.

How does EDGE-to-EDGE encryption work?

EDGE-to-EDGE encryption secures your data by encrypting it before it leaves your network and decrypting it when it reaches the destination network. The encryption and decryption are handled by the Anapaya EDGE devices at the network edges, ensuring that your data is protected throughout its journey through the SCION Internet.

EDGE-to-EDGE encryption uses the SCION's Public Key Infrastructure (PKI) to establish authenticated connections between Anapaya EDGE devices and derive the symmetric encryption keys. The IPsec Encapsulating Security Payload (ESP) protocol encrypts the data packets, ensuring protection from eavesdropping and tampering.

SCION’s PKI briefly explained

One of the fundamental components of SCION is its Public Key Infrastructure (PKI), which is responsible for the administration of cryptographic keys and certificates in the SCION network. The SCION control plane is one of the systems that relies on a PKI, the SCION control plane PKI (CP-PKI). The CP-PKI offers a secure, transparent, and scalable solution for authenticating entities within the SCION network. The SCION control plane leverages the PKI to establish trust relationships between ASes and ensure the authenticity of the generated routing information.

Additionally, the Anapaya EDGE uses the CP-PKI to facilitate secure connections to other Anapaya EDGE devices. With the introduction of EDGE-to-EDGE encryption, the PKI now provides the necessary cryptographic material to establish authenticated and encrypted tunnels between Anapaya EDGE devices.

IPsec ESP briefly explained

The IPsec Encapsulating Security Payload (ESP) protocol is a widely used standard to protect network traffic sent over public networks.
It provides its payload confidentiality, integrity, authenticity, and replay protection. Especially in the context of VPNs, IPsec ESP is a popular choice for securely tunneling traffic over the Internet.

Anapaya EDGE uses IPsec ESP for EDGE-to-EDGE encryption and benefits from its proven security properties and available implementations.

Key benefits of EDGE-to-EDGE encryption

Enhanced security for your network traffic

EDGE-to-EDGE encryption ensures that your data is protected from eavesdropping and tampering as it traverses the SCION Internet. By encrypting your data at the network edges, you can be confident that your data is secure from any kind of unauthorized access.

Moreover, the authentication of incoming network traffic ensures that packets are only received from authorized sources. This safeguards your network against impersonation attacks and can prevent reflection attacks.

Key management with SCION CP-PKI

EDGE-to-EDGE encryption leverages the SCION CP-PKI to establish encrypted and authenticated tunnels between Anapaya EDGE devices. This eliminates the need for complex key management and certificate distribution, making it trivial to set up and manage secure connections between Anapaya EDGE devices.

Flexible configuration options

EDGE-to-EDGE encryption can be enabled for your entire network or just for specific traffic domains, allowing you to tailor the levels of security configurations to meet your requirements. This flexibility allows you to secure your most critical network traffic while maintaining maximal performance for other traffic.

Seamless integration with other Anapaya EDGE features

EDGE-to-EDGE encryption is fully integrated with other Anapaya EDGE features, so you can still benefit from path control, fast failover, and network engineering even when encryption is enabled.

How to setup EDGE-to-EDGE encryption

At Anapaya, we believe that security should be simple. That's why we designed EDGE-to-EDGE encryption to be easy to set up. By leveraging the SCION CP-PKI, we eliminate the need for complex certificate management and key distribution, enabling you to secure your network communication with minimal effort. With Anapaya Console, the web-based management interface for your Anapaya infrastructure, you can configure EDGE-to-EDGE encryption with just a few clicks.

The dashboard in Anapaya Console provides an overview of your network traffic and shows you which connections are encrypted and which are not. This makes it easy to validate your security configurations and protect your data.

Use case: Site-to-Site VPN

Anapaya EDGE with EDGE-to-EDGE encryption can serve as a secure and reliable replacement for a traditional site-to-site VPN setup that connects your network to remote sites or cloud services. Some key advantages of using EDGE-to-EDGE encryption for this purpose include:

  • Reduced management overhead: The EDGE-to-EDGE encryption feature eliminates the need for managing an additional VPN infrastructure, including routing configurations and key management. This simplifies management and reduces the risk of misconfiguration.
  • Simplified network architecture: By using EDGE-to-EDGE encryption, VPN gateways become obsolete, reducing the number of devices in your network and simplifying the network architecture.
  • Unified monitoring: By eliminating a separate VPN infrastructure, the network state and traffic between your sites can be monitored from a single management interface. This simplifies troubleshooting. With Anapaya Console, all relevant information is centralized in one location.

Overall, costs are reduced when the system is optimized for less management, a simplified network architecture, and a monitoring stack.

The following diagram illustrates a typical use case for EDGE-to-EDGE encryption. In this scenario, a central office, a branch office, and a cloud service are connected over the SCION Internet using Anapaya EDGE. The data traffic traversing the SCION Internet is encrypted, ensuring its confidentiality and integrity.

 

To configure a Site-to-Site VPN with EDGE-to-EDGE encryption, define a dedicated traffic domain. This domain should include the IP address ranges of the main office, the branch office, and the cloud service. Specify the Anapaya EDGE devices at the different sites as allowed endpoints for the domain. And most importantly, enable payload encryption for the domain.

Use case: Secure communication with partners

EDGE-to-EDGE encryption is not only beneficial for securing your internal network communication but also for securing your critical communication with partners.
The simplicity of the feature makes it easy to set up and manage. You don’t have to exchange keys or certificates with your partners manually because EDGE-to-EDGE encryption utilizes the SCION CP-PKI for authentication.

Only minimal coordination with your partners is required to enable encryption for your network communication.

Future-proofing your network

With the expansion of the SCION Internet, the advantages of using SCION become more apparent, such as better performance regarding latency and bandwidth, better reliability due to more path diversity, and larger reach due to more networks and services connected to the SCION Internet around the world.

However, the expansion also brings some security challenges inherent to any sizeable public Internet. Such challenges include eavesdropping, tampering, and impersonation of network traffic.

Whether such attacks are malicious or accidental, whether they are targeted at your network traffic or not, they can have severe consequences for your business. EDGE-to-EDGE encryption addresses these challenges and prepares your network for the future.

Conclusion

The security of your network infrastructure is paramount to the success of your business.
Anapaya EDGE and the SCION Internet provide a solid foundation for reliable and secure routing of your network traffic. With the addition of EDGE-to-EDGE encryption, you can further enhance the security of your network traffic and protect your data from eavesdropping and tampering. The simplicity of the feature makes it easy to set up and manage, ensuring that you can focus on your business while we take care of your network security.

If you are an Anapaya EDGE Pro customer, you can start using EDGE-to-EDGE encryption today. Contact us to learn more about this feature and how it can benefit your network.

TAGS:

Anapaya EDGE

Schedule a free
consultation and experience the power of SCION

Our specialists are ready to assist you in becoming SCION-enabled. Fill in the form on the right and elevate your network to the next level.