L2 TunnelSicurezza

L2 tunnels: security and encryption deep dive

Encryption, tenant isolation, mutual auth: what makes an enterprise-grade L2 tunnel actually secure and the questions to ask vendors.

2 min read

TL;DR

Sefthy's L2 tunnel protects traffic with TLS 1.3 encryption, mutual X.509 certificate authentication and full tenant segregation. The 5 security questions to ask any L2 vendor.

The 5 security guarantees you need

1. Tunnel encryption

Traffic between Connector and datacentre must be encrypted. Typical: TLS 1.3 with strong cipher suite. Do not accept "unencrypted tunnel" even if the provider claims to be "on a secure network".

2. Mutual authentication

The Connector must authenticate the datacentre (no MITM) and vice versa. Typical: mutual X.509 certificates. Without it, an attacker could impersonate the datacentre.

3. Tenant segregation

One customer's traffic must never reach another customer. Typical: dedicated VLANs/VRFs, isolated broadcast domains. Verify with audit.

4. Key management

Cryptographic keys must be rotated periodically. Typical: automatic rotation every 12 months. Without it, compromise risk grows over time.

5. Audit and logging

Every tunnel session must produce auditable logs. Required for ISO 27001 and NIS2.

Sefthy L2 threat model

Mitigated attacks

  • MITM over public Internet: blocked by TLS 1.3 + mutual auth.
  • Packet tampering: blocked by TLS 1.3.
  • Credential reuse: handled by automatic key rotation.
  • Cross-tenant traffic leak: blocked by dedicated VRFs.

Attacks requiring attention

  • Physical Connector compromise: requires physical access. Mitigated by tamper detection.
  • Console credential compromise: mitigated by mandatory MFA.
  • Datacentre insider threat: mitigated by administrative controls (ISO 27001).

How Sefthy manages keys

  • private keys generated on the Connector at boot (never leave);
  • certificates signed by dedicated Sefthy CA;
  • automatic rotation with configurable period;
  • HSM in the datacentre for master keys.

Compliance and audit

For ISO 27001:2022 and NIS2:

  • VPN/tunnel session logs available (rolling 90 days);
  • documented key rotation evidence;
  • provider attestation of annual penetration test.

FAQ

Can I inspect tunnel traffic?

Yes, from the Connector. The traffic is plain at the source (encrypted only in the tunnel).

What if the Connector certificate is compromised?

Revoke via Console and regenerate. Time: 5 minutes.

Can Sefthy access tunnel traffic?

No. The datacentre transmits packets, does not inspect them.

For the L2 pillar, L2 tunnel for DR. For latency, L2 cloud latency.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo