Workshops Cyber Defence Quantum-Safe Network Architecture
Cyber Defence Full Day Workshop

Quantum-Safe Network Architecture

This workshop equips network security architects to migrate perimeter and internal network infrastructure to post-quantum cryptography, layer by layer.

Full day (6 hours + Q&A)
In person or online
Max 30 delegates
Commission This Workshop View Agenda

Proud to recommend our expert members

Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside
Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside

Workshop Description

Network architecture migration to PQC is not a single project but a sequenced transition across multiple protocol layers. TLS protects web traffic and API communications. IPsec and WireGuard protect VPN tunnels. PKI certificate chains authenticate every encrypted connection. DNSSEC protects name resolution. Each layer uses classical key agreement (RSA or ECDH) or digital signatures (RSA or ECDSA) that a cryptographically relevant quantum computer would break. The migration challenge is that these layers are interdependent: you cannot migrate TLS certificates without addressing the CA hierarchy, and you cannot update the CA hierarchy without planning for the larger certificate and CRL sizes that PQC algorithms produce.

This workshop works through that migration layer by layer. Participants examine TLS 1.3 hybrid key exchange deployment on reverse proxies and load balancers, with concrete data on handshake size increases and client compatibility. VPN migration covers IPsec IKEv2 PQC configuration on major vendor platforms (Cisco, Palo Alto, Fortinet) and the Rosenpass PQC layer for WireGuard. Certificate lifecycle management addresses CA hierarchy re-signing with ML-DSA, ACME protocol PQC support, and OCSP/CRL scaling for larger PQC signatures. Internal network coverage extends PQC to zero trust microsegmentation and DNSSEC zone signing. Each layer includes a rollback procedure and monitoring guidance for the transition period.

What participants cover

  • TLS 1.3 hybrid mode: ML-KEM-768 + X25519 key exchange, ML-DSA-65 certificates, handshake overhead data, and phased deployment from reverse proxy to internal services
  • VPN PQC migration: IPsec IKEv2 ML-KEM configuration on Cisco, Palo Alto, and Fortinet. WireGuard Rosenpass as an interim PQC layer. Remote access VPN prioritised over site-to-site.
  • Certificate lifecycle: CA hierarchy migration (root re-signing, cross-signing), ACME PQC automation, and OCSP/CRL scaling strategies for ML-DSA signature sizes
  • Internal network PQC: zero trust mTLS with PQC certificates, DNSSEC ML-DSA zone signing, and IDS/IPS compatibility with PQC handshakes (Suricata, Zeek)
  • Compliance: NIST FIPS 203/204 timelines, CNSA 2.0 network encryption deadlines, and ENISA/BSI/ANSSI/NCSC migration guidance
  • Migration sequencing: internet-facing TLS, then VPN, then internal east-west, then DNS. Rollback procedures and connection monitoring for each phase.

Preliminary Agenda

Full-day session structure with scheduled breaks. Content is configurable to your network topology, VPN vendor environment, and PKI architecture.

# Session Topics
1 The Quantum Threat to Network Architecture Why every network layer from perimeter to internal segments requires PQC migration
2 TLS 1.3 Hybrid Mode Deployment Migrating web-facing and internal TLS to post-quantum key exchange
  • TLS 1.3 hybrid key exchange: ML-KEM-768 + X25519 combined key encapsulation. Handshake size increase (approximately 1,100 bytes additional), latency impact, and client compatibility considerations.
  • Certificate chain migration: ML-DSA-65 leaf and intermediate certificates. ServerHello size increase (approximately 8 KB versus ECDSA) and implications for TCP initial congestion window.
  • Deployment sequencing: enabling hybrid TLS on reverse proxies and load balancers first, monitoring connection success rates, then extending to internal service-to-service TLS.
Break, after 50 min
3 Quantum-Safe VPN Configuration IPsec IKEv2 and WireGuard PQC migration
  • IPsec IKEv2 PQC: ML-KEM key agreement for Security Association establishment. Hybrid mode configuration on common VPN concentrators (Cisco, Palo Alto, Fortinet). Throughput benchmarks with PQC overhead.
  • WireGuard PQC: post-quantum key exchange proposals and implementation status. Rosenpass as an interim PQC layer for WireGuard deployments.
  • Site-to-site and remote access VPN: different migration priorities. Remote access VPN (internet-facing, higher HNDL exposure) before site-to-site (typically private circuits, lower harvest risk).
4 Certificate Lifecycle Management Under PQC PKI migration, certificate automation, and trust chain management
  • CA hierarchy migration: root CA re-signing with ML-DSA, cross-signing for backward compatibility during transition, and trust store update coordination
  • Certificate automation: ACME protocol PQC support, cert-manager integration, and automated renewal for larger PQC certificates
  • OCSP and CRL scaling: ML-DSA signature sizes increase OCSP response and CRL sizes. Stapling strategies and CDN distribution for large CRL payloads.
Break, after 40 min
5 Internal Network Segmentation and East-West Traffic Extending PQC protection beyond the perimeter
  • Zero trust architecture and PQC: mutual TLS with PQC certificates for microsegmentation. Service mesh mTLS migration (Istio, Linkerd) as covered in the cloud-native workshop, summarised here for network architects.
  • DNS security: DNSSEC with ML-DSA zone signing. Response size implications (ML-DSA-65 signatures are approximately 2.5 KB) and resolver compatibility.
  • Network monitoring: ensuring IDS/IPS and traffic analysis tools can parse PQC handshakes. Updated Suricata and Zeek rule sets for hybrid TLS.
6 Standards, Compliance, and Migration Roadmap Regulatory drivers and sequenced implementation plan
  • NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) implementation timelines. CNSA 2.0 network encryption deadlines.
  • ENISA, BSI, ANSSI, and UK NCSC guidance on network PQC migration priorities
  • Migration sequencing: internet-facing TLS first, then VPN, then internal east-west, then DNS. Rollback procedures and monitoring for each phase.
7 Q&A and Migration Planning

Designed and Delivered By

Workshops are designed and delivered by QSECDEF in collaboration with sector specialists. All facilitators have direct experience in both quantum technologies and enterprise network security.

QD

Quantum Security Defence

Workshop design and delivery

QSECDEF brings world-leading expertise in post-quantum cryptography, quantum computing strategy, and defence-grade security assessment. Our advisory membership spans 600+ organisations and 1,200+ professionals working at the intersection of quantum technologies and critical infrastructure security.

CY

Network Security Partners

Domain expertise and operational validation

Network architecture workshops are co-delivered with specialists who bring direct operational experience in enterprise network security design, VPN infrastructure management, PKI administration, and zero trust implementation across multi-site environments.

Commission This Workshop

Sessions are configured around your network topology, VPN vendor environment, PKI architecture, and compliance deadlines. Get in touch to discuss requirements and schedule a date.

Contact Us
Cyber Defence Workshops All Consulting Services All Workshops