EncryptionPLUS+
You take network security seriously, and so do we!
​
Our Software Defined Network (SDN/ SD-WAN) powered Bonded Internet’s EncryptionPLUS™ feature allows for three layers of encryption for site-to-site traffic over public connections, creating IPVPNs for customers looking for an alternative to MPLS. These layers that ensure your security fortress remains strong are;
​
​
-
AES & SALSA20 Tunnel Encryption for Private WANs & IPVPNs
​
Our Software Defined Network (SDN/ SD-WAN) powered Bonded Internet™ has the ability to perform standard IPVPN encryption for hub-and-spoke WANs. Customers can choose between three ciphers to encrypt traffic between the CPE device and the Aggregation server (and vice-versa).
​
​
​
​
​
​
​
​
​
​
​
​
-
Packet Distribution Across Bonded Connections
​
By its nature, our Software Defined Network (SDN/ SD-WAN) powered Bonded Internet spreads traffic across multiple internet connections. Data originating from a host is distributed across multiple carrier circuits and paths. This means that even if an attacker manages to capture one of your individual internet connections, he will only see a small part of your entire traffic. No single circuit carries an entire stream of data, crushing ‘man-in-the-middle’ attacks.
​
​
-
Traffic Authentication
​
Bonded traffic is authenticated by the receiving server with a hash-based message authentication code (HMAC, from RFC2104). This prevents an attacker from modifying or forging bonded traffic between the CPE and Aggregation server.
​​
​
On top of that, Bonded Internet’s security measures include:
​
​
​
Seamless Integration with Existing Network Architecture
​
Your existing network security design will not be impacted. Our Software Defined Network (SDN/ SD WAN) powered Bonded Internet supports all encrypted VPN traffic and is also completely transparent to SSL traffic.
​
​
​
Encrypted Device Configuration Commands
​
Industry-standard SSL protects the appliance from unauthorized control.
​
Remote Bonding Appliance (CPE) Security
​
The bonding appliance is controlled remotely by our special configuration server. In addition to having its own firewall, all communications between the appliance and the Aggregation server are secured by SSL, ensuring that it is protected.
​
How is Encryption Performed?
​
Encryption is performed using private keys generated when the Node or CPE are provisioned, and hosts are authenticated with x.509 certificates signed by a certificate authority on the management server.
​
Each circuit has its own encryption session. For example, a bond of three circuits (a circuit is sometimes referred to as a ‘leg’) uses three independent sessions. Sessions renegotiate keys at the interval defined in the Management Server Bond Options—by default, every hour. This can be disabled by setting the value to 0.
​
Encryption increases the amount of overhead in each packet sent between the CPE and Aggregator, resulting in a smaller MTU available for site traffic. The amount of overhead is different for each cipher. The following list shows the MTU available on a bond with 1500 byte leg MTUs.
​
-
HMAC: 1452 bytes
-
AES 128: 1403 bytes
-
AES 256: 1375 bytes
The AES is one of many NIST-issued Federal Information Processing Standards (FIPS), which are approved by the U.S. Secretary of Commerce before publication to ensure their legal alignment with the Information Technology Management Reform Act of 1996 and the Computer Security Act of 1987. It is the only publicly available block cipher approved by the National Security Agency (NSA) for transmission and encryption of secret and top-secret information and intelligence
On the Shoulders of Giants
​
Our service uses the popular open-source Linux distribution Debian. Many contributors around the world work to enhance the security of this operating system; from reviewing code to ensuring that security issues are eliminated before release as well as implementing fixes within hours of a vulnerability becoming known. You benefit greatly from their experience and abilities.
​
​
​
Secure your Internet with our SD WAN and Bonded Internet™.
