Encrypting data in transit is today a regulatory requirement and a standard of good security practice. The problem is that traditional approaches to network encryption – based on VPNs and IPSec – typically require deep intervention in existing network infrastructure, complex configuration and often costly hardware upgrades. Certes Networks solves this problem with its CryptoFlow technology.
Key findings
- CryptoFlow is a Layer 4 encryption technology that works independently of the network topology
- No infrastructure redesign required – works as an overlay on existing network
- Encryption is transparent to applications and users
- Cryptographic keys are centrally managed by a dedicated policy server
- The solution meets regulatory requirements, including FIPS 140-2 and NATO requirements
Table of contents
- The problem of network encryption in enterprise environments
- What is CryptoFlow and how is it different from a VPN?
- Technical architecture – Layer 4 encryption
- Central management of keys and policies
- Deployment without infrastructure redesign
- Regulatory compliance and certifications
- Applications in various sectors
- FAQ
- Summary
The problem of network encryption in enterprise environments
Organizations managing wide area networks (WANs), connections between data centers or links to branch offices face a difficult choice: how to encrypt network traffic without crippling operations? Traditional IPSec-based VPN solutions require configuration on each network device, often do not scale to the demands of large environments, and create complex dependencies in the network topology.
An additional problem is the management of cryptographic keys – in large organizations, the number of keys, their rotation and distribution become an operational project in its own right. Without good key management, encryption ceases to be effective, becoming only a semblance of security.
What is CryptoFlow and how is it different from a VPN?
CryptoFlow is an approach to network encryption developed by Certes Networks that, instead of creating dedicated VPN tunnels between network points, implements encryption at the Layer 4 level of the OSI model – the transport layer.
The key difference is that CryptoFlow does not change the network topology or routing. Network traffic follows the same paths as before, it is just encrypted on the fly by Certes devices placed in the infrastructure. For routers, switches and applications, this is completely transparent – they don’t see any change.
Technical architecture – Layer 4 encryption
Layer 4 encryption (transport layer encryption) means that data is encrypted at the TCP/UDP segment level, after the network connection has been established, but before it reaches the application. This approach has several important advantages. First, it preserves the visibility of Layer 2 and Layer 3 network headers – the network can route packets normally and apply QoS policies. Second, encryption is independent of application protocols – it works for any traffic, whether it is HTTP, database or OT protocol.
Certes devices perform encryption with AES-256-GCM algorithms, meeting the highest cryptographic standards, including FIPS 140-2.
Central management of keys and policies
The foundation of the CryptoFlow architecture is the Certes Policy Server (CPS) – a central server that manages encryption policies and cryptographic keys. The administrator defines which traffic flows are to be encrypted, between which points and with which parameters – without having to configure each device separately.
Cryptographic keys are generated centrally, distributed securely to devices and automatically rotated according to a defined policy. This automation eliminates one of the biggest operational problems of traditional VPN solutions – manual key management.
Deployment without infrastructure redesign
Deploying CryptoFlow boils down to placing Certes devices in the network infrastructure – physical or virtual – inline or tap. No reconfiguration of existing routers, switches or IP addressing is required.
Certes appliances can be deployed incrementally – protecting the most critical connections first and expanding encryption coverage as needed. This approach minimizes the operational risk of deployment and allows for a gradual migration to an encrypted infrastructure.
Regulatory compliance and certifications
Certes Networks has the certifications and approved algorithms required by regulators in sectors with stringent security requirements. The solution meets FIPS 140-2 requirements, a prerequisite for government and military contracts in the US and many NATO countries. It also supports the NIS2 directive requirements for encrypting data in transit.
Applications in various sectors
In the financial sector, Certes protects transaction data sent between bank branches and the data center, meeting PCI DSS requirements for payment card data encryption. In the government and defense sector, it provides encryption for connections between facilities with different classification levels. In industry, it protects OT and ICS networks from data interception by network attack vectors.
FAQ
Does CryptoFlow work with all types of networks? Yes – CryptoFlow works on Ethernet, MPLS, SD-WAN and connections over the Internet. It is agnostic to the network transport layer.
Does Layer 4 encryption affect network performance? The impact is minimal – Certes devices are optimized for low-latency encryption. For most performance applications, the difference is imperceptible.
How does CryptoFlow integrate with existing network management systems? Certes Policy Server integrates with SIEM, SNMP and other management tools through APIs and standard protocols.
Does Certes support cryptographic segmentation? Yes – it is possible to create isolated cryptographic zones, where traffic between zones is encrypted, and traffic within the zone can be unencrypted, which implements the principle of least privilege at the network level.
Summary
CryptoFlow from Certes Networks is an elegant solution to a difficult problem: how to encrypt network traffic in a large organization without costly infrastructure redesign. Layer 4 encryption, central key management and transparency to the existing network make secure encryption operationally feasible in even the most complex enterprise environments.
