Network security is frequently implemented by considering the network as a series of layers, each dedicated to a particular function (data transport, applications, user interactions, etc.). This model has the underlying logic that, with several layers to have to work against, any potential attacker won’t find it easy to break through to the heart or kernel of the system, where they can enjoy unlimited rights of access, or do serious damage.
Each layer of the network has its own tools, mechanisms, and protocols for guarding its security. One of these is what’s known as link layer encryption.
What’s the Link Layer?
The link layer (or more correctly, the data link layer) is one of the principal levels in the Open Systems Interconnection or OSI model, which is a security framework providing recommendations for network and application security. There’s a hierarchy of seven levels in the OSI model, namely:
- the physical layer
- the data link layer
- the network layer
- the transport layer
- the session layer
- the presentation layer
- the application layer
And Link Layer Encryption?
As the name suggests, link layer encryption (also referred to as link level encryption, or simply link encryption) is performed at the data link layer of an OSI-modeled security set-up and involves the scrambling (encrypting) of information as it passes between two points (or nodes) within a network. These “nodes” may be network devices like routers and switches, or endpoint devices like laptops or mobile phones.
Information from the network layer (the one above the data link layer, in the OSI hierarchy) is embedded in the link data stream as layer headers, so link layer encryption operates independently from network protocols.
Link encryption is a relayed process. It typically begins with information held as plain text on a host server that’s encrypted as it leaves the host, and decrypted when it reaches the next link in the chain (which could be another host or a relay point), then encrypted again as it leaves this node to pass on to the next, where it’s decrypted again. And so on.
A different encryption key or algorithm may be used on each link, and the cycle is repeated until the information reaches its ultimate destination. Link encryption may also occur at the lower or physical layer of the OSI security model.
Applications of Link Layer Encryption
In link level encryption, all information is in a cipher state (encrypted), as it travels on its communication paths. The link layer encryption process effectively protects data in transit, so it has great value in environments where the data transmission route is unsecured or potentially at risk.
The internet qualifies as such a transmission route, and link level encryption is employed in the two most widely used secure protocols for online data transmission, namely the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). For this reason, link encryption is sometimes referred to simply as online encryption.
Link encryption is also the method of choice for service providers (who can initiate and manage the protocol independent of their subscribers) and is integrated within their network protocols. Service networks for Voice over Internet Protocol (VoIP) telecommunications systems will typically use link level encryption to secure and prioritize voice data traffic without imposing unmanageable bandwidth demands on their infrastructure.
Since the process of link level encryption requires data to be decrypted at each node point, there’s the potential for vulnerability of the plain text data as the router or other intermediate host analyzes the information to determine where to route it next. This risk increases when data has to be transmitted between network hosts that are known to be unsecured.
But if the security of all points along a data transmission route can be guaranteed, then link level encryption can be safely deployed throughout. This is the case in military applications, and in organizations with high-level security protocols.
Though the transmission method can create increased complexity and expense for land-based networks (lots of encrypt/decrypt operations with multiple links and node points), link encryption is ideal for satellite data transmission, where the dangers of eavesdropping are particularly high. Satellite service providers will typically assume responsibility for providing encryption between earth stations.
Benefits of Link Layer Encryption
For service providers, link layer encryption provides a convenient way to ensure security regardless of what their subscribers do. For this reason, it’s the preferred encryption technique for human-to-server and human-to-server-to-human communications.
Since link encryption acts independently from network protocols and occurs below the network layer, the technique offers significant advantages in high-speed data transfers between data centers. All information in transit is encrypted, which reduces the overhead demand on available bandwidth from Internet Protocol Security (IPSec) by as much as 40%.
The relay-like nature of the link encryption process allows organizations that need to analyze their network traffic the opportunity to do so at the node points where the data stream is decrypted.
In the past there was no common standard for link encryption devices, requiring organizations to adopt (and remain tied to) solutions from a particular manufacturer. This situation is beginning to change with the arrival on the market of proprietary link encryption technologies that can be deployed in a “set it and forget it” mode. This makes management of the process much less of a burden for overworked IT staff.
Link level encryption is also a best-fit solution for organizations that wish to retain a close hold on their data and intellectual property, without having to face the possibility of sharing routing information with service providers.
Link layer encryption also provides protection against all kinds of “man-in-the middle” attacks, where unencrypted data streams can be intercepted and corrupted or monitored by malicious outsiders. That’s why link encryption is the method of choice for WPA2 wireless security.
Share this Post