Link Encryptor vs. SSL/TLS

Okay, these are very basic questions. First, how does a link encryptor work? Second, if a link encryptor is in place, is there a need for SSL/TLS?

Answer Wiki

Thanks. We'll let you know when a new response is added.

My answer is a little fuzzy, since it’s been years when I even touched stuff like this. I was hoping someone else would have a better answer. However….

I believe that a link encryptor is used to encrypt a particular wire/fiber/cable connection – point-to-point. For example, say the U.S. Pentagon to some other military facility, so that if someone were to tap the cable, all they’d get is gibberish – AND more to the point, the end users would neither know nor have to care about security – it’s been taken care of. They may well put their own security on top of that (such as TLS).

The difference is that the link encryption is typically taken care of by the people who maintain the external connections.

If you’ve got a serious enough need to consider both, then do it – and have them administered by different groups – each accountable in their own right.


Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • GBirmingham
    Link Encryptors are discrete,external devices that are phycically inserted into a communications path, typically between the egress router and the line access device that provides for bulk link encryption. They use a symmetrical encryption key for high throughput under load and encrypt everything that passes through it. Link encryptors are pretty simple devices and they offload the encryption/decryption process from the router (or end-point system if it's directly connection to the external line) saving CPU cycles. It does add a slight throughput delay, so for an application that is sensitive to latency, you need to give the delay some careful consideration. From a management perspective you will need to rotate the encryption keys on a regular interval and use a key of sufficient length relative to the lifetime of the data being transmitted over the link. There a number of articles floating around that provide guidance on proper key length selection. Some Link Encryption devices permit key rotation from a primary device to a secondary/slave device across the link. Others require physical access to make the change. Consider that when selecting a model to use. Link encryption does not protect the data path between point of data creation to the link encryptor, and that's where SSL/TLS comes into consideration. SSL/TLS is a transport layer protection mechanism, so it lives in the protocol stack of each system connecting to your LAN and can be enabled on a per-application basis. So if you have an application that is creating sensitive information that needs end-to-end privacy protection, then SSL/TLS will protect it from point of creation to point of reception, as long as the application requests that service when sending and receiving data. That's an important factor to consider depending on your communications network topology. So to recap: SSL/TLS - provides end-to-end security from sender to receiver. Link encryptors protect only parts of the communications pathways. Management of link encryptors requires resular key rotation, SSL/TLS select a new key-pair for each invocataion - so less management is required. Both methods have CPU impact and insert latency into the communications pathway, though the external link encryptor offloads the work of encryption/decryption from the router/application system CPU. I hope this helps. George
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: