xSec is a highly secure data link layer (Layer 2) protocol that provides a unified framework for securing all wired and wireless connections using strong encryption and authentication. xSec provides a Federal Information Processing Standard (FIPS)-compliant mechanism to provide identity-based security to government agencies and commercial entities that need to transmit extremely sensitive information over wireless networks. xSec provides greater security than other Layer 2 encryption technologies through the use of longer keys, FIPS-validated encryption algorithms, and the encryption of Layer 2 header information including MAC addresses.
The need for Layer 2 encryption
Traditionally, encryption has been performed at Layer 3 (Network Layer) in the form of IPsec. IPsec uses 3DES or AES encryption and can encrypt the IP packet including the source and destination IP addresses in the header. IPsec provides a commonly accepted, secure method of communication over untrusted networks since the only information left unencrypted are packet headers and pure Layer 2 traffic such as ARP (Address Resolution Protocol) and DHCP (Dynamic Host Configuration Protocol) packets.
Unified security framework
xSec enables universal authentication and encryption regardless of access method. Every client that connects to the network, wireless or wired, can authenticate to an Aruba Mobility Controller using an xSec client. Authentication inside the xSec protocol is accomplished using standard 802.1x EAP (Extensible Authentication Protocol) and a standard RADIUS server to validate credentials. xSec supports authentication using passwords, certificates, smart cards, token cards, and other credentials supported by the chosen EAP type.
Through the use of AES-CBC with a 256-bit key length for encryption, xSec provides the only COTS (Commercial Off-the-Shelf) Layer 2 protocol that is FIPS validated. As a result, xSec is an ideal solution for security-sensitive applications in the government, finance, and healthcare markets. FIPS is a more stringent security standard than those required in the commercial sector, and therefore more suitable for compliance with commercial regulations such as HIPAA and GLBA.
Legacy investment protection
Most legacy equipment cannot be upgraded to support the latest security standards such as 802.11i and WPA2. xSec encryption, however, is performed in hardware by the Aruba Mobility Controller, and in software at the client level, meaning that an existing network can be upgraded to support the latest security technology without replacing older access points or wireless NICs (network interface cards).
Designed for compatibility
xSec is based on the IEEE security standard 802.1x. Secure EAP methods supported include EAP-TLS, TTLS and PEAP, making xSec compatible with existing security mechanisms such as RSA Tokens and PKI certificates. xSec is designed to be transparent to the Layer 2 infrastructure and can operate through a switched Ethernet network without the risk of EAP frames being intercepted by 802.1x-aware Ethernet switches. Juniper Networks’ Odyssey Client with xSec support is available for Windows 2000, Windows XP and Windows Mobile.
xSec is deployed by activating the xSec software license on an Aruba Mobility Controller and by installing Juniper Networks’ Odyssey Client on a wired or wireless PC. xSec can be used to secure traffic between an Aruba mobility controller and a wireless client, between a Mobility Controller and a wired client, or between two Mobility Controllers on the same VLAN.