Securing the Wireless Backhaul Network with Harmony
As of late, security has become a greater concern for all network operators, whether it is for enterprise service, mobile service or residential access. This is a critical topic, and the knee-jerk reaction is often to maximize the security functionality on all elements of the backhaul network. This, however, can be very costly, as it can increase network element cost, decrease network efficiency and prevent some network functions from operating properly. A more strategic approach for network operators is to look at the end-to-end backhaul network architecture, analyze security threats, and then apply appropriate security mechanisms where they are deemed to be necessary within the network.
One of the key types of data encryption to consider is IPSec, which is done on an end-to-end path basis. The advantage is that when this is done on all end points, intermediate encryption is not required, and there is no overlap. The downside of this approach is that unless data optimization for compression is also done at the end points, the encryption will minimize the amount of compression that can be done at intermediate points, and could reduce network efficiency by 50% or more. In addition, it is very computationally intensive to encrypt all flows at the end points, and can have service or cost impacts as a result.
Alternatively, encryption can be done on a per segment basis with Harmony microwave products. For example, 256AES encryption can be used on Harmony microwave links. This allows Harmony to first perform any compression via the bandwidth accelerator before the encryption, therefore allowing the benefits of both.
In a segment-by-segment architecture, MACSec can be optionally used for the port-to-port connection between two independent devices. This capability will often drive additional equipment cost, and may not be required if there is sufficient physical security (for example equipment installed on the top of a 300 foot secured tower). If it is required, this is supported on the Ethernet ports of the Harmony radios.
Another key element of network security to consider is equipment management and control. DragonWave’s Harmony products support highly secure encrypted network management protocols, including SNMPv3, SSH, and SSL. In addition, highly controlled user authentication is enabled in the Harmony product line through standards, such as RADIUS and TACACS+ user authentication, to ensure passwords are properly protected and controlled. DragonWave’s Harmony radios also support secure modes to enforce password rules and other strict security modes of operation.
There is not one single blueprint security architecture for backhaul networks. Rather, it is critical for the operator to closely examine their backhaul network, equipment capabilities, security vulnerabilities, physical environment, and required network functions, then use these requirements to drive an end-end security architecture. DragonWave’s Harmony products offer a full suite of security capabilities to meet each operator’s unique security requirements.