Hey Everyone guess what day it is! That's right, it's Friday, which means it is time for another FEATURE FRIDAY!!!!
Today, we are going to discuss one of the most popular Session Smart Router features: Adaptive Encryption.
Hopefully, you are already aware of the benefits of using Secure Vector Routing (SVR) with your Session Smart Routers (SSRs). If not, here's a refresher: Juniper Session Smart Technology Overview (thank you @Reid!)
Two of the biggest benefits of SVR are:
- Built in Security (i.e., encryption and NAT)
- Reduced bandwidth compared to tunneled traffic like IPsec and GRE
Security Policies
The security features within our Session Smart Routers are controlled via the Security Policy. Here is where we set our ciphers for HMAC and Encryption as well as input our keys. The Session Smart Routers use symmetric-key encryption and authentication so you will want to make sure that the sending and receiving SSRs have the same keys and ciphers set in their Security Policies.
Anyway, if you look at some of the other settings within a Security Policy, you will find an on/off toggle for Adaptive Encryption. Adaptive Encryption??? What's that?
What is Adaptive Encryption
Well, I am glad you asked because Adaptive Encryption is a really neat feature. If the Session Smart Router can tell that a Session is already encrypted, for example it's an HTTPS request or another type of request that is using TLS, then it will not do further encryption. However, if the Session Smart Router cannot tell that the session is encrypted, then it will perform encryption on the payload. By not automatically re-encrypting or double encrypting the payload, the Session Smart Router further reduces overhead and costs while still providing strict security.
How to enable Adaptive Encryption
Now that you know what Adaptive Encryption is, you probably want to know how to enable it. Well, you might remember from above that it is an on/off toggle in the Security Policy. However, the Security Policy is just a "policy," meaning we have to apply the policy in order to use it. Adaptive Encryption is done on the Payload, so that means to enable it we need to apply the Security Policy to the Service. This also means that we can set different Security Policies for each Service/Application. For example, we can have some applications that are always encrypted (regardless of encryption status) via the SSR, while other are never encrypted.
NOTE: Security Policies are placed in 3 areas:
-
- At the Router: for inter-node encryption and authentication (think HA)
- At the Service: which affects how the Payload will be encrypted
- At the Adjacency: which affects how the metadata will be hashed and encrypted. This Security Policy should match the Security Policy that is applied to the receiving Router's Network Interface.
So yea, that's Adaptive Encryption! For more information check out our
- Adaptive Encryption Documentation.
- This great blog entry by Patrick Melampy
- And this fantastic demo on how to use Adaptive Encryption by @Stephen Voto (No he didn't do the voice over)
Alright, enough from me, we want to hear from you:
- Have you used Adaptive Encryption yet?
- Do you have some applications that you always want to encrypt and others that you never want to encrypt?
- Do you have any examples of how Adaptive Encryption has helped reduce bandwidth usage on your network, saved you money or allowed for more sessions and faster speeds?
Let us know by responding to this thread! With that, I hope you all have a great weekend and I look forward to talking to you soon!
#FeatureFridays #SessionSmartRouter #SSR #securitypolicies #Encryption #AdaptiveEncryption #authentication #SVR
------------------------------
Justin Melloni
------------------------------