"Given the number of sites with distributed data centers and the business’ dynamic nature,  scalability became a big factor for selection of WAN encryption"

Ensuring WAN Encryption, minimizing the Security Threat, Loss and Overall Risk

MPLS, as a technology, merely labels and provides logical segregation of traffic without any encryption. Its service providers provide services to multiple organizations; Essar Group is one amongst them. Local transport is further outsourced to third-party carriers using shared networks. An alternative to protect the confidentiality of data travelling through ISP networks became imperative.

Having end to end WAN Encryption solution was tough, since there were solutions available to provide encryption in piece-meal.IPSec tunneling was considered.

Essar Group has a mesh topology over MPLS Cloud across various Service Providers. Given the number of sites with distributed data centers and the business’ dynamic nature, scalability became a big factor for selection of WAN encryption. The second major criterion was compatibility with Quality of Service (QoS) extensively implemented on Essar’s network. IPsec and site-to-site tunneling technologies were not feasible on these fronts.

WAN encryption was the way to go, and we settled on Cisco’s tunnel-less Group Encrypted Transport (GET) VPN solution. Based on the group domain of interpretation protocol, it supports open standard technologies like 3DES and AES 128/192/256 algorithms. This solved point- to-point encryption’s scalability issues. Any-to-any instant connectivity could now be done to scale with this setup, without compromising our organization’s advanced QoS and multicast replication.

Implementation and challenges

After consultations with Cisco team and the Cisco partners, we began the WAN encryption rollout starting with a POC at three locations; it was gradually expanded to Essar’s entire WAN. From an infrastructure point-of-view, Essar did not require significant investments.

Since Cisco’s GET VPN technology is an iOS feature, it requires Cisco’s advanced iOS enabled routers and network devices to function. While none of the new devices needed replacement, older models which lacked advanced iOS support had to be upgraded. Apart from Essar’s vast infrastructure, the main challenge was to meet baseline configurations for WAN encryption. Baseline standards for devices had to be ensured. Initial learning curve for advanced WAN  encryption configuration was steep.

Since hardware was already in place, no additional licenses needed to be procured. The solution was rolled out for 5 different service providers covering the domestic locations of Essar Group. While the rollout was completed by April 2012, the WAN encryption implementation is managed from our integrated network operations center (NOC).

Way Forward

The GET VPN implementation scales WAN encryption across our corporate network. All data-in- motion is now secure while our network’s QoS and multicast capabilities have been retained while achieving end-to-end encryption to all remote locations. Latency is low, and existing implementations have not faced any conflicts. End users have experienced no changes. Managing the WAN encryption setup has been straightforward and simple, apart from the invested man hours.

While technical challenges are minimal, the impediment to implementing WAN encryption at our international locations is the varied encryption norms in different countries. We plan to create separate groups for such sites with customized policies.