Mid-February 2023: Thousands of passengers have to put up with delays and flight cancellations due to a global IT glitch at a major airline. At least the cause was quickly recognised: An excavator had cut through several fibre optic cables during construction work on a railway line not far from a major German airport.
Such failures are annoying and can sometimes have serious consequences, for example if administrative or government sites are affected. Companies also have to fear economic damage. In general, disruptions in redundant IT networks can be mitigated or avoided altogether through automatic routing, i.e. the self-organised reconfiguration of network components. However, highly secure, IPsec-protected virtual private networks (VPN) were previously excluded from this: In these networks, security relationships had to be set up in pairs between the participating gateways - manually.
This not only had disadvantages in the event of a crisis, but also in day-to-day IT operations: whenever an element was removed or added, it had to be reconfigured. As the number of IPsec gateways in the network grew, so did the administrative effort. The procedure was also prone to errors.
Developed in university research
Finally, the Technical University of Ilmenau took up the problem in a research co-operation with secunet. Prof Dr Günter Schäfer, Head of the Department of Telematics/Computer Networks at the Faculty of Computer Science and Automation, drove the topic forward. The question was: How can a flexible configuration procedure for IPsec-secured VPN be designed in such a way that it reacts dynamically to changes in the network status while minimising manual administration work? The security properties must not be compromised and the process should be scalable to very large VPNs with several thousand security gateways.
The central idea of the Ilmenau research team led by Professor Schäfer was to arrange the gateways in a ring structure with additional cross-connections so that indirect scenarios (security gateways behind security gateways) were also supported. This was the birth of SINA SOLID.
BSI approval
SOLID stands for "Secure OverLay for IPsec Discovery". The process was developed by secunet into a ready-to-use product and for several years has been part of the secure communication solution SINA, which secunet developed in cooperation with the German Federal Office for Information Security (BSI). SINA is a portfolio of security components, from gateways to laptops, which can be used to set up secure IT infrastructures for classified data of different levels of secrecy up to and including SECRET. SINA SOLID is approved for the level VS-NfD, the German equivalent of RESTRICTED.
Automatic routing with SINA SOLID fully retains all the security features of IPsec and SINA. The process enables the network to react dynamically to changes. If, for example, the connection between two sites is interrupted, SOLID will automatically re-route - via another site, for example - without the administration having to take any manual action. If a new SINA L3 Box (a security gateway) is installed, the network will reorganise itself.
Geo-redundant clusters
SINA SOLID can also ensure that all SINA L3 Boxes in a network are on standby, even across multiple remote locations, in the event of system failure. This allows geo-redundant clusters to be set up to increase resilience.
These clusters can also be very helpful in conjunction with an innovation in SINA SOLID. In addition to the gateways, the clients - SINA Workstations as specially secured laptops at RESTRICTED level - can now also reconnect on their own. "This is particularly advantageous in the event of a crisis," says Armin Wappenschmidt, Head of Innovations and Product Management at secunet, who is responsible for the further development of SINA SOLID. "Usually, all data traffic runs via the access gateways. This is problematic in the event of a central system failure: if these gateways are not accessible despite the redundancies in place, employees can no longer connect to the intranet or at least use any central services."
Clever routing instead of a bottleneck
With SINA SOLID, on the other hand, the SINA Workstations at RESTRICTED level can now also connect to a geo-redundant cluster at another location. "As there are now many potential paths, no central bottleneck occurs," explains Wappenschmidt. "With the constant increase in data traffic, this is an important step towards greater resilience."
In addition, the RESTRICTED-level SINA Workstations can also connect to each other for the first time (so-called "peer-to-peer communication"). This also relieves the centralised access points, as telephony and video data no longer have to pass through the bottleneck. In addition, even if the connection between the locations is interrupted, the clients can still communicate with each other. This means that, if configured accordingly, phone calls can still be made and bilateral video calls and applications that work without a central server are still available.
"These are utilisation scenarios that make crisis communication much easier in the event of a central server failure," says Wappenschmidt. "But it's not just in crisis situations that a self-organising network pays off. Administrators will appreciate the fact that they don't have to take action for every new network component that is added - such activities can quickly become a Sisyphean task in large networks."
"SINA SOLID is another example of how highly secure networks for special purposes such as classified information can now be used and managed just as easily as insecure or commercial networks."
HEAT accelerates the pace of network encryption
SINA's architecture allows many of the sophisticated security measures to run in the background without users having to worry about them. This is also the case with the central measure of network encryption. In direct comparison with conventional, insecure network components, however, it is noticeable that network encryption requires significantly more computing power. This is in the nature of things, but can certainly slow down everyday computing processes. To counteract this effect, the Faculty of Computer Science and Automation at TU Ilmenau has developed HEAT together with secunet.
HEAT stands for "High-Speed Encryption Acceleration Track" and gives network encryption a real boost. This is achieved, among other things, by the fact that some of the processor units (CPU cores) that work in the hardware are now reserved exclusively for network encryption, while the others perform other tasks.
A good analogy might be the branch of a parcel service that wants to increase the number of parcels sent each day. Until now, the branch's 20 employees have taken care of everything equally: Parcel deliveries, but also numerous other products and services offered in the branch. The administrative workload was high because new work equipment had to be constantly fetched and the desks had to be cleared after each process - after all, the next customer could have a completely different request. However, 16 of the 20 employees now only process parcels, and there are different queues for customers who want to send parcels and those with other requests. Since the reorganisation, the branch has handled significantly more parcels per day and has even been named "Branch of the Year" for this reason.
HEAT is available with the latest software version of the SINA L3 Box in conjunction with SINA SOLID.
Do you have any questions or comments about this article? Then contact us using the contact form on the right.
secuview is the online magazine of secunet, Germany's leading cybersecurity company. Here you will find news, trends, viewpoints and background information from the world of cybersecurity for public authorities and companies. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.
In addition to the online magazine, secuview is published twice a year as a journal, which you can subscribe to free of charge in printed form or download as a PDF.
secuview is the online magazine of secunet, Germany's leading cybersecurity company. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.