Essar group’s global reach is a boon as well as a bane, with diversified business ranging across verticals like steel, power, telecom, shipping and engineering. This wide presence (valued at close to $17 billion), along with the potential threat to sensitive data flowing across its diversified business environments makes data security essential for Essar. This is why the Indian corporate behemoth went in for data encryption adoption for WAN traffic between its remote locations.
Hemanta Kumar Raval, the team lead for IT security at Essar’s IT infrastructure project group has been closely involved with the WAN encryption implementation. The process was set rolling in July 2011 when Essar’s management observed that the existing multiprotocol label switching (MPLS) architecture did not serve the group’s need for confidentiality.
Why encrypt the WAN?
According to Raval, MPLS technology does not provide encryption. It merely labels and provides logical segregation of traffic. MPLS services at Essar were from different service providers who typically offer the same MPLS services to multiple companies. Local transport is further outsourced to third-party carriers using shared networks. An alternative to protect the confidentiality of data travelling through third-party, sub-contractor or ISP networks became imperative.
While solutions existed to provide piece-meal encryption for various protocols, none provided the same end-to-end encryption of WAN encryption, as per Raval. Legacy applications needed protocols like Telnet and FTP, which lacked encryption. Several methods were considered like IPsec tunneling, site-to-site tunneling and WAN encryption.
Essar does not have a hub and spoke model. Given the number of sites with distributed data centers and the business’ dynamic nature, scalability (the n^2 problem) became a big factor for selection of WAN encryption. The second major criterion was compatibility with quality of service (QoS)—extensively implemented on Essar’s network. IPsec and site-to-site tunneling technologies were not feasible on these fronts.
WAN encryption was the way to go, and Essar settled on Cisco’s tunnel-less Group Encrypted Transport (GET) VPN solution. Based on the group domain of interpretation (GDOI) protocol defined in RFC 3547, it supports open standard technologies like 3DES and AES 128/192/256 algorithms. This solved point-to-point encryption’s scalability issues, says Raval. Any-to-any instant connectivity could now be done to scale with this setup, without compromising Essar’s advanced QoS and multicast replication.
WAN encryption: Implementation and challenges
After consultations with Cisco and its partners (Vadodara-based Meridian Infotech), Essar’s internal team began the WAN encryption rollout in July 2011. Starting with a POC at three locations, it was gradually expanded to Essar’s entire WAN. From an infrastructure point-of-view, Essar did not require to significant investments.
Since Cisco’s GET VPN technology is an iOS feature, it requires Cisco’s advanced iOS enabled routers and network devices to function. Raval explains that much of Essar’s network was based on Cisco devices. While none of the new devices needed replacement, older models which lacked advanced iOS support had to be upgraded. Apart from Essar’s vast infrastructure, the main challenge was to meet baseline configurations for WAN encryption. Baseline standards for devices had to be ensured (like iOS support and adequate memory). Initial learning curve for advanced WAN encryption configuration was steep. The technology seems to be working very well operationally, according to Raval.
Since hardware was thus already in place, says Raval, no additional licenses needed to be procured. The solution has been currently rolled out for Essar’s Tata MPLS cloud. WAN encryption for Essar’s remaining cloud with Bharti Airtel is underway. Essar’s WAN encryption implementation is managed from its integrated network operations center (NOC) at Hazira. The rollout was completed by April 2012. At present, only Essar’s Indian network is protected by this WAN encryption technology.
WAN encryption architecture
The current WAN encryption setup has two redundant GET VPN key servers—at Essar’s Mahalaxmi location (Mumbai) and Essar’s primary data-center in Hazira, Gujarat. These GET VPN key servers manage the WAN encryption implementation’s defined security policies in addition to creating and distributing group/policy keys. Using these keys, traffic between Essar’s remote locations is encrypted by routers, as it leaves the organization’s network.
Each router is registered and validated by the GET VPN key server as a group member, and participates in encryption, routing between unsecure regions, and multicasting. Network traffic over the WAN is encrypted using AES 256-bit encryption (using SHA for hashing). These IPsec WAN encryption keys are periodically replaced before they expire by the GET VPN key server. Group members can communicate freely using these keys, says Raval.
The policies are defined as per requirement, with exclusion of encrypted protocols like SSH. However, Raval asserts that all traffic can be encrypted if required, since encryption latency for GET VPN is low. GET VPN also preserves the IP headers, preserving QoS and multicast capabilities to improve application performance.
Post-implementation dividends and future plans
Essar’s GET VPN implementation scales WAN encryption across its corporate network. All of Essar’s data-in-motion is now secure. Essar’s network’s QoS and multicast capabilities have been retained while achieving end-to-end encryption to all remote locations. Latency is low, and existing implementations have not faced any conflicts. End users have experienced no changes. Managing the WAN encryption setup is straightforward and simple, apart from the invested man hours, says Raval.
Essar plans to replicate this success across its international sites. While technical challenges are minimal, the impediment to implementing WAN encryption at Essar’s international sites is the varied encryption norms in different countries. Essar plans to create separate groups for such sites with customized policies. At present, such requirements are being recorded to extend Essar’s WAN encryption umbrella abroad.
This was first published in April 2012