Use Case: Creating an Encrypted Connection Between Two Company Sites


This use case describes a company with two sites whose networks are to be connected via the internet using a secure, encrypted connection. This connection is used to transmit sensitive company data between the two sites. The connection utilization averages 420 Mbit/s with peaks of up to 1 Gbit/s. The 1 Gbit/s connection between the two sites is implemented as a layer 2 connection using dedicated encryption hardware.

Secure connection

Security Goals

To create a secure connection, it is vital to have full control of the communication. Sensitive, proprietary company data has to be protected by securing the network on the perimeter and by preventing malicious software from entering the network.
Furthermore, it has to be possible to restrict access to individual sensitive areas of the company network (e.g. development, production, server).

Only protecting the networks at the outer perimeter is not sufficient in this scenario. Protection also needs to be implemented inside the network. In theory, this means creating individual network segments with a perimeter firewall for each device in the network. Since this is not feasible in practice, conventional next-generation firewalls implement a zone concept to segment the network into smaller parts with dedicated networks.

A more flexible alternative to this approach is offered by cognitix , a German cyber security start-up. The cognitix Threat Defender provides next-generation firewall features in a layer 2 device that can be installed at any point in the network. This way, it can apply firewall features to all or individual segments of the network. Furthermore, it monitors the behavior of the devices in the network and isolates devices displaying suspicious behavior.
In addition, the Threat Defender provides a sophisticated interactive reporting system  that quickly provides administrators with comprehensive overviews of the network.


Since the two sites are connected on layer 2 of the OSI model, it is possible that the two site networks behave like a single network. It is therefore vital to monitor the traffic in the tunnel using next-generation firewall features while acting completely transparent on layer 2. The cognitix Threat Defender checks the communication and blocks any traffic that is not supposed to enter the tunnel, such as network broadcasts or certain protocols and applications.

The Threat Defender has an integrated IPS. With this database of known threats it can block intrusion attempts. If a device in the network is infected nevertheless, the Threat Defender isolates it and blocks the infected device from communicating with the network, barring the intruder from any further access to the network.
Furthermore, the Threat Defender uses inline real-time correlations that analyze millions of flows and packets to detect abnormal behavior that can be the indication of an attack. Based on these results, port scans, for example, can be detected inside the network and isolated immediately.
With the Threat Defender it is possible to create static and dynamic network objects that are used to segment the network. They can be used with event tracking tables in inline real-time correlations to restrict access to sensitive data. For example, if a person has access to sensitive data, this person can be prevented from accessing the Internet at the same time.
Also, if abnormal behavior is detected, the concerned device can be denied access to sensitive data.


Hardware Information

This network setup is implemented using the following hardware:


Motherboard Supermicro X11SSH-F
Chipset Intel C236
Processors 1x Intel Xeon E3-1270v5
4 cores / 8 threads
3.6 GHz base / 4.0 GHz turbo
Memory 64 GB DDR4 ECC RAM @ 2133MHz
Network cards Intel X710-DA2 with 2x 10GbE SFP+
Storage 480 GB SM863
Samsung Enterprise SSD
Chassis 2U, 19” standard rack


On the above hardware set, the cognitix Threat Defender achieves the following performance values:


New sessions per second (1 byte) 120,000
New sessions per second (64 byte HTTP) 60,000
Maximum sessions 1,400,000
Throughput (1518 byte UDP) 9.4 Gbit/s
Minimal feature throughput (Cisco EMIX 2012) 11.9 Gbit/s
Full feature throughput (Cisco EMIX 2012) 1.6 Gbit/s
Minimal feature throughput
(IXIA BreakingPoint Enterprise Mix) 3.88 Gbit/s
Full feature throughput
(IXIA BreakingPoint Enterprise Mix) 1.95 Gbit/s


If you want to try out the cognitix Threat Defender, you can get a free trial license here.



The networks of the two company sites are connected via the Internet. The secure, encrypted connections between the sites are controlled by the Threat Defender.
Using a layer 2 firewall like the cognitix Threat Defender, it is possible to easily establish network connections between different sites without needing any advanced routing.