SSCP - encryption on the wire

---

I'm preparing to take the SSCP test later this month and in going through the material presented in the networking domain, a question came to mind: when transmitting data from an endpoint out to the internet on a network cable, if TLS is used, is the data sent from the client (endpoint) to the LAN's networking infrastructure (physical switch/router) encrypted? As TLS is implemented on Layer 4, I was wondering if the data traversing the wire in a LAN is sent in clear text until it gets to the L3 and lower devices.

@Abhishek-Shah ,

TLS provides end-to-end security of the data being sent. It would not be decrypted on the local area network.

@Abhishek-Shah,

Your question is a good question! So this should take you back to reviewing your OSI model and the concepts of encapsulation and decapsulation as well.

When your endpoint sends data out encapsulation takes place before the data is put onto the network --this is preparing the data for the network and it includes encryption (L7 through L4).

When data is sent to the next device, it reads the bits on the wire, then the L2 and l3 header to find out if the transmitted packet are destined for this device according to that L3 information. If the device is another endpoint and the IP address L3 doesn't match...the packet is dropped.

If the device is router (e.g. default gateway), then it finds it in the routing table. It rewrites Layer 2 for the next hop and using the routing table to forward the packet towards the destination network.

Note the router doesn't process beyond L3 if it's not the destination IP for that packet doesn't match the device IP.

Hope that helps.

Thank you for the very insightful and comprehensive response! My understanding on encryption within the LAN is much clearer now.

At the transport layer, once the TCP handshake is established then the TSL handshake occurs whereby the version of TSL, cypersuite and possibly certificates are established. There is an encrypted key exchange between the client and server and the MAC addresses (L2) are verified before a tunnel (L3) is established on the Network Layer and the encrypted Application data can be sent. Is this correct?

@Val-Bowman,

Yes. Great explanation, very helpful!

Let me concentrate a little more on the L2 and L3. Remember that L2 and L3 must match on the initial packets used with that of the destination device or the packet hasn't arrive at the proper destination to where the data is supposed to be.