The Big Truth Salt Typhoon Reveals About Network Security

By Chris McHenry

What You'll Learn:

• Why the Salt Typhoon hack should promptis forcing organizations to rethink their network security
• The hidden risks of relying on "private circuits" for data protection
• Why MACsec encryption may be leaving your network vulnerable
• Practical alternatives to strengthen your network security
• Steps to implement end-to-end encryption effectively

Join us on January 23rd for an informative discussion, "What the Salt Typhoon Hack Reveals About Network Security" regarding how you can safeguard your data against Salt Typhoon with high-performance encryption. Register here.

End-to-end encryption has taken on new importance following recent guidance from the FBI and CISA urging organizations to make securing network communications a critical priority. The shift stems from a newly uncovered hack by Salt Typhoon, a group associated with China’s Ministry of Public Security — now being called one of the largest hacks of U.S. infrastructure in history.

The campaign, which compromised major trusted telecoms including AT&T, Verizon, and others, prompted U.S. government agencies to do a 180 on their previous guidance discouraging the use of encrypted messaging platforms (think WhatsApp, etc.). Encrypted communications have historically put strain on regulators who are less able to gain access to their contents during the course of criminal investigations. The fact that the agencies are now reversing course on their previous advice shows just how potent this newly discovered threat is.

While we do have practical advice for businesses looking to implement end-to-end encryption within their network communications — which we’ll dive into below — this event is truly a wake-up call for businesses concerned with the security of their information. The scale and scope of this hack, as well as the major players and providers affected, shine a light on vulnerabilities that can exist within even the largest organizations. Ultimately, it’s up to each company to understand and take responsibility for their own security posture. Organizations who trusted “private circuits” from service providers like Verizon and others to protect their data and didn’t invest in encryption need to look into ways to encrypt those circuits.

?? Key Alert: Even "private circuits" from major telecoms like AT&T and Verizon were compromised in the Salt Typhoon hack. Private doesn't mean secure - encryption is essential regardless of your connection type.

The Fallacy of Private Circuits

Many customers trust private circuits from their providers, assuming that because they are not on the internet, they inherently secure traffic. This perception drives the use of private connectivity solutions like AWS DirectConnect and Azure ExpressRoute. However, this is a fallacy — and in the end, many customers fail to encrypt data on these circuits because they trust the provider. While Media Access Control Security (MACsec) is sometimes used for encryption, it is often complicated, expensive, and seems unnecessary. Ultimately, what “private” does not equate to “secure”, and organizations must take control of their privacy with encryption.

You may ask: If private circuits aren’t private, why use them at all? If encryption is the answer either way, why not just do it over the internet instead of private circuits?

There are three main reasons companies pair private circuits with MACsec:

1. Perceived Performance Constraints: Many believe private circuits with MACsec are the only way to achieve encryption while maintaining performance. This is a misconception, and can actually be addressed with innovative solutions like Aviatrix’s patented High-Performance Encryption (HPE) technology.
2. Egress Data-Transfer Costs: Concerns about egress charges often lead customers to private circuits. However, while these circuits have fixed hourly charges from cloud providers, customers also pay ingress and egress fees. Either way, encryption should still be added on top of private circuits. Aviatrix helps customers transition from unencrypted to encrypted environments without added complexity.
3. Dedicated Bandwidth Needs: Some customers value private circuits for guaranteed bandwidth, believing it ensures consistent performance for hybrid cloud applications. However, the internet’s shared bandwidth, running on the same infrastructure, often performs just as well. Aviatrix’s solutions, including Equinix, Megaport, and Secure High-Performance Datacenter Edge integrations, enable encrypted communications over private circuits, offering both security and flexibility.

Security Risks Associated with MACsec

While MACsec provides encryption, it can also introduce vulnerabilities due to its operational design, if you don’t own all the hops. Each physical router along the data path must decrypt your data, and because those physical routers may be owned by another entity, the decrypted data is not under your control.

This process of decryption and re-encryption at every hop leaves the data unencrypted, exposing it to potential interception and exploitation when the data traverses third-party networks, where the routers involved are often outside your ownership or control, making it difficult to ensure consistent security measures.

This security shortcoming, combined with hardware dependencies, licensing costs, and operational complexities, raises significant concerns about MACsec’s overall effectiveness. To protect your network, you must critically assess whether MACsec aligns with your organization’s security needs and explore more secure alternatives.

MACsec’s encryption method leaves gaps that hackers could exploit:

• Decryption Vulnerabilities: Each point where decryption occurs that is outside of your control presents a risk of compromise. Attackers infiltrating any hop could access or manipulate network traffic. If a malicious actor gains access to one of these intermediary nodes within a third party network, they can exploit the decrypted data to exfiltrate sensitive information, inject malicious code, or disrupt communications. The hop-by-hop model inherently increases the number of potential attack surfaces when hops are not owned, magnifying the risk across the network.
• Attack Surface: When using? MACsec, networks become vulnerable to sophisticated threats at every hop outside of your control, including Man-in-the-Middle (MitM) attacks, packet injection, and data exfiltration, to name a few. When an intermediary hop is compromised, attackers can impersonate legitimate devices within the network, intercept sensitive communications, and manipulate data in transit. This method allows attackers to remain undetected while exfiltrating information or planting malicious payloads. Moreover, advanced persistent threats (APTs) can exploit these vulnerabilities to establish long-term footholds within the network, undermining overall security.

?

MACsec Encryption Increases Complexity and Costs

MACsec encryption also intensifies the challenges of cloud complexity — already an issue for overworked networking teams — and high costs:

• Hardware Demands: MACsec encryption requires proprietary, hardware-specific silicon, increasing costs and limiting flexibility.
• Licensing Parameters: Deploying MACsec involves layered licensing costs, such as Cisco’s Edge Sec and DNA licenses, which add to the overall expense.
• Operational Overhead: Managing MACsec encryption demands a secure key infrastructure, which can be complex and costly. This includes navigating between less-secure pre-shared keys or more robust PKI systems and cloud solutions like Azure Key Vault.
• Performance Implications: Encryption and decryption at every network hop introduces latency and potential bottlenecks, affecting overall performance.
• Ingress and Egress Fees: Private circuits have a fixed hourly charge from the cloud service provider. You are charged for both ingress and egress, albeit at a lower rate.

?

You Can Do Better than MACsec: Recommended Alternatives

Aligned with CISA’s guidance, organizations should:

• Adopt End-to-End Encryption: Strengthen security by implementing encryption that protects data continuously across all communication points, reducing vulnerabilities inherent in hop-by-hop encryption methods like MACsec.
• Review Communication Practices: Evaluate internal and external communication methods to ensure comprehensive protection, particularly when exchanging sensitive information.
• Implement Holistic Security Strategies: Replace MACsec with end-to-end encryption to eliminate vulnerabilities and better align with national cyber defense recommendations.

?

MACsec’s limitations in security, cost, and operational complexity make it an ineffective solution for today’s hyper-connected cloud applications. By integrating end-to-end high-performance encryption (HPE) at the network layer in place of MACsec, organizations can better secure their networks, meet stringent compliance requirements, and gain operational efficiency.

Understanding MACsec and how to improve your organization’s encryption is a solid first step toward building your in-house network security muscle and taking back control of your overall network security posture. Another great step? Connect with our cloud networking experts to discuss your unique security challenges. You can also:

• Learn more about how MACsec compares to IPsec for encrypting cloud connectivity.
• Explore Aviatrix’s Secure High-Performance Datacenter Edge, which provides advanced capabilities such as high-performance end-to-end encryption, egress filtering, traffic segmentation, and robust network security.