Partner I Solution Brief

Cisco Systems Chooses Net Optics Director xStream Pro and HD8 Taps to Demonstrate MACsec Security Protocol
When Cisco needed to showcase their newest Borderless Network capabilities and demonstrate MACsec technology at work, they looked to Net Optics. Director xStream Pro generates live statistics from any network segment even at ultra-high data volumes. Since downtime isnt an option, they chose the HD8 Fiber Tap for its ability to deliver full-duplex monitoring of 10G networks without introducing a point of failure.
Vulnerability at the access edge is one of todays most urgent security challenges. Now, in a convincing demonstration at the 2011 Cisco Live trade show, Cisco used its own switches, along with Net Optics Director xStream Pro and High-Density HD8 Fiber Taps, to show how its MACsec technology is vital to protecting data in motion by maintaining data encryption and integrity in the LAN. The demo contrasts the vulnerability of data traveling between network switchesboth with and without MACsec. Today, authentication alone cannot guarantee the safety of LAN data. Although physical security and end-user awareness remain important, many instances and locations (for example, remote offices and public access) demand greater LAN fortification. One of the promising answers is MAC Security, or MACsecpart of the Borderless Network Integrated Security Features providing superior layer 2 defense against man-in-the-middle attacks such as MAC, IP, and ARP spoofing. What is MACsec?
MACsec refers to the capability of encrypting data communications between a switch and any attached devicemost importantly communication on wired LANs. MACsec (MAC for Media Access Control; sec for security) is the brainchild of the Institute of Electrical and Electronics Engineers (IEEE). Known as Security Standard 802.1AE, MACsec is the industrys new best practice for ensuring data integrity when it comes to independent media access. MACsec is designed to be deployed in conjunction with traditional, higherlevel encryption protocols such as Secure Sockets Layer (SSL) and Secure Shell (SSH) to enhance security on LANs.

Net Optics Solutions Help Validate and Dramatize the Necessity of MACsec to Cisco Live Visitors
To show how its IOS MACsec software defends LAN data integrity, Cisco used its 6500 Switches, employing Cisco Protocol for MACsec-based wire-rate hopto-hop layer 2 encryption. MACsecs layer 2 capabilities can identify and block most threats that come from behind the firewall (also known as insider threats). Also used in the demo are the Cisco Catalyst 3500 and Catalyst 4500 family of switches. By using Director xStream Pro, it is possible to demonstrate encryption compliance and validate the proper deployment. The 3500, which does not incorporate MACsec, enables contrasting of encrypted and unencrypted data the main point of the demonstration.

How does MACsec bolster Borderless Network security?

Used between LAN endpoints, MACsec enables each packet on the wire to be encrypted via symmetric key cryptography. As a result, communications cannot be monitored or altered anywhere on the wire; nor can anyone directly intercept traffic on the line that data travels on. MACsec is one of the most significant advances in network security, enabling confidentiality and identity-based access control at the network edge.

Cisco Live Demo, Tapping Traffic Between Cisco Switches With and Without MACsec, Shows Its Dramatic Impact on Security
Cisco 6500 Series Switch
W S-C 6 5 0 4- E

Cisco 6500 Series Switch

W S-C 6 5 0 4- E

Cisco 6500 Series Switch

W S-C 6 5 0 4- E

1.7 in.

1.7 in.

1.7 in.

Net Optics 10G Fiber Tap HD8

A B
1 2

CATALYST 3550

Cisco 3500 Series Switch MACSec Encrypted Traffic Unencrypted Traffic Net Optics Director xStream Pro

Cisco and Net Optics in Action at Cisco Live 2011 The diagram shows Cisco 6500 switches across the top, using MACsec technology to encrypt Layer 2 traffic between Ciscos own devices. Initially, traffic is unencrypted, with Cisco then creating a tunnel to perform the encryption. The dashed lines represent encrypted traffic. The solid lines represent unencrypted traffic. This makes the point that without MACsec technology, this traffic remains unencrypted and vulnerable to intrusion and compromise.

Cisco Systems Chooses Net Optics Director xStream Pro and HD8 Taps to Demonstrate MACsec Security Protocol
Cisco chose the compact Net Optics HD8 Fiber Tap for its ability to deliver full-duplex monitoring of 10 GigaBit networks with 100 percent traffic visibility, including layer 1 and 2 errors. Requiring no power, the Net Optics Tap integrates smoothly with Cisco products and maintains permanent access ports for monitoring tools without introducing a point of failure or interfering with network connections. The newest in Net Optics arsenal of security solutions, Director xStream Pro is a high-performance engine purpose-built for the demands of the 10G environment. Cisco needed Director xStream Pros ability to generate and make visible live statistics coming from the switches. Its ability to handle ultra-high data volumes was also important for purposes of the demo.

Partner I Solution Brief

We chose their Director xStream Pro and HD8 Fiber Taps because we felt they would offer us the support needed to show the value of our newest MACsec technology: This is your LAN with MACSecand without it, says a Cisco Technical Marketing Engineer

MACsec and Director xStream Pro Work Together as a Permanent Compliance Solution
The ability of Director xStream Pro to capture, display, and document the encryption of LAN traffic is a major benefit to companies challenged with regulatory compliance. Director xStream Pro not only verifies that traffic is encrypted, it allows export of statistics into spreadsheets and other documentationeasing compliance verification for auditing purposes. In addition, Director xStream Pro alerts and exposes in real time any problems that might arise with MACsec encryption, allowing users to take instant action and protecting the value of the MACsec investment.
MACsec Encrypted Data Stream Unencrypted Data Stream

Net Optics Helps Cisco Put the Proof Before Viewers Eyes
With MACsec-enabled devices, packets are encrypted on exiting the transmitting device and decrypted on entering the receiving device. They are in the clear only within the respective devices. Once the Net Optics HD8 Taps have passively gathered data on the connections, the demo sends data transmissions from the Taps to Director xStream Pro, which collects and displays it clearly in its user interface. Watching the encrypted traffic, viewers can see that traffic is there, but they cannot tell what type it iswhether it is Web traffic, VoIP, video, IPv4 or IPv6, PCP, TCP, UDP or ARP. This proves that the MACsec security function is working. Traffic emanating from the 3500 device, which lacks MACsec technology, clearly reveals its types and protocolsand even its payload contents if it is not using a higher-level encryption protocol such as SSL or SSH. The demo shows how MACsec software protects the network from insideand Director xStream Pro can also reveal the payload. With encryption and decryption performed locally, it is easier to deploy IT insertion points for IDSs, anti-virus protection, load balancing and traffic management. MACsecs strong encryption at layer 2 also supports data confidentiality, while integrity checking helps assure that no data modification takes place during transit.

Net Optics Director xStream Pros Live Data Statistics feature enables Cisco to demonstrate the secure exchange of data between switches. As shown in the illustration, Director xStream Pros GUI makes the contrast between MACsec encryption and unencrypted data dramatically visible. The display shows encrypted traffic as unreadable, while unencrypted traffic types are easily identified. Director xStream Pros Live Data Statistics capability also lets users import statistics into a SQL database or spreadsheet for compliance support and instant insight into network status and health.

Summary
Net Optics Taps and Director xStream Pro are helping Cisco offer irrefutable proof that the MACsec-enabled software in its switches helps secure a network from the inside on a hop-by-hop basis. MACsec also enables each hop to act as an IT insertion point for security purposes. Using MACsec, IT departments can now monitor and inspect internal LAN traffic. This capability is fundamental to Ciscos Borderless Security Architecture, part of the Borderless Network vision. Now, Net Optics TAPs and Director xStream Pro are helping Cisco prove how vital MACsec is to the confidentiality and integrity of the LAN.

5303 Betsy Ross Drive Santa Clara, CA 95054 Tel: +1 (408) 737-7777 www.netoptics.com
Net Optics is a registered trademark of Net Optics, an Ixia company. Copyright 1996-2013 Net Optics, an Ixia company. All rights reserved. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.