Secure communication can be implemented at multiple levels depending on the needs:
- Application level: protocols such as SSL, TLS, DTLS which are designed to protect traffic for specific applications
- Network level: VPN protocols such as IPsec encapsulate all traffic within a secure tunnel, allowing all traffic from a device to be securely transmitted over the internet
- Data link level: security can often be used on the link level, for example to protect an Ethernet link (with MACsec protocol) or a WiFi Access
To select the right level of security, one need to think about what needs to be protected, and then apply the security at all necessary levels.
Sometimes, when a the data link cannot be trusted, security must be applied on the network level. For example, VPN are often used to protect devices from being attacked from the local untrusted WiFi network. Such attack may be due to another computer on the same WiFi, a compromised wireless routers (and hacking tools like Mirai have shown how vulnerable they are) or a rogue Access Point.
For high security, a VPN is used to force all traffic to and from your device through a security infrastructure such as the Intranet security or a SECaaS cloud. Such infrastructure would analyze all traffic to prevent malware to be accidently downloaded and to detect abnormal traffic patterns.
Application level protocols like TLS are great to protect traffic from e.g. a banking application to the banking server. But they do not protect data within the application, so technology to secure the application themselves are also needed (see application protection section). In addition, if the application uses the TLS implementation from the device, a compromised device may intercept or modify the data before transmitting it.
To reduce development cost and accelerate time-to-market, GUARD product family provides security software toolkits for every layer that are:
- Widely deployed software stacks used by major companies
- Highly portable well-documented ANSI C source code
- Interoperability tested, compliant to IETF and IEEE standards
- Available with a FIPS140-2 certified cryptographic module upon request.