UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

Similar documents
Understanding Layer 2 Encryption

CN9000 Series 100Gbps Encryptors

VERSATILE ENTRY-LEVEL

ADVANCED DEFENCE-GRADE

SENETAS ENCRYPTION KEY MANAGEMENT STATE-OF-THE-ART KEY MANAGEMENT FOR ROBUST NETWORK SECURITY

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

HIGH-ASSURANCE FLEXIBLE 1-10GBPS ENCRYPTION CN6000 SERIES

INTERNATIONAL LAW ENFORCEMENT HD CCTV NETWORK

AVAYA FABRIC CONNECT SOLUTION WITH SENETAS ETHERNET ENCRYPTORS

CoSign Hardware version 7.0 Firmware version 5.2

Datacryptor Key Features. Page 1 of 5. Document Number 40676

TRAFFIC FLOW SECURITY USING SENETAS HIGH- ASSURANCE ENCRYPTORS TECHNICAL PAPER

This Security Policy describes how this module complies with the eleven sections of the Standard:

Overview. SSL Cryptography Overview CHAPTER 1

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.9

SENETAS CN8000 MULTI-LINK 10x10 GBPS ENCRYPTOR FREQUENTLY ASKED QUESTIONS

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

RGS-7244GP / RGS-7244GP-E

MASERGY S MANAGED SD-WAN

SOLO NETWORK (11) (21) (31) (41) (48) (51) (61)

Configuring VRRP. Finding Feature Information. The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns

SOLO NETWORK (11) (21) (31) (41) (48) (51) (61)

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

IBM TotalStorage SAN Switch M12

About VLAN IEEE 802.1Q. Voice VLAN

Chapter 3 Managing System Settings

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

MA5400 IP Video Gateway. Introduction. Summary of Features

Secure Connectivity for Multi-Site Organisations

RGS-7244GP / RGS-7244GP-E

(2½ hours) Total Marks: 75

Configuring EtherChannels and Link-State Tracking

Configuring Firewall Filters (J-Web Procedure)

Configuring Port Channels

TOLLY. No March Fortress Technologies, Inc.

R&S SITLine ETH Ethernet Encryptor Secure data transmission via landline, radio relay and satellite links up to 40 Gbit/s

Advanced iscsi Management April, 2008

Cisco SGE Port Gigabit Switch Cisco Small Business Managed Switches

Observer Probe Family

Configuring Web Cache Services By Using WCCP

IBM TotalStorage SAN Switch F32

S5 Communications. Rev. 1

New Product: Cisco Catalyst 2950 Series Fast Ethernet Desktop Switches

1Industrial Ethernet Switch

VPN Overview. VPN Types

Apex Orion DATASHEET. DS-1026-E 1 of 5

Configuring StackWise Virtual

100GBPS, ULTRA-FAST, CERTIFIED HIGH- ASSURANCE NETWORK ENCRYPTION FOR MEGA DATA

Certification Report

Designed for Railway application and fully compliant with the requirement of EN50155/EN standard

IEEE 802.1Q. Voice VLAN

Validation of Cisco SCE8000

RGS-7168GCP / RGS-7168GCP-E

HigH THrougHpuT MeeTs Low TCo. THe etherhaul TM wireless BaCkHauL. 4Gon Tel: +44 (0) Fax: +44 (0)

Cisco Desktop Collaboration Experience DX650 Security Overview

National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products

Abstract of the Book

Innovative Security Solutions For Protecting Data in Motion

ProSafe Plus Switch Utility

SD-WAN Deployment Guide (CVD)

Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

SD-WAN Transform Your Agency

Configuring the Management Interface and Security

Cisco SRW Port Gigabit Switch: WebView Cisco Small Business Managed Switches

Portable Wireless Mesh Networks: Competitive Differentiation

Creating Trust in a Highly Mobile World

Configuring Virtual Private LAN Services

VISION ONE: SECURITY WITHOUT SACRIFICE

Cisco SFE Port 10/100 Ethernet Switch Cisco Small Business Managed Switches

WL-5420AP. User s Guide

IEEE 802.1Q. Voice VLAN

Encrypted Phone Configuration File Setup

Networking interview questions

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

Virtual KeySecure for AWS

Motorola PTP 800 Series CMU Cryptographic Module Security Policy

Designed, built, and tested for troublefree operation in extreme conditions

Telkonet G3 Series ibridge/extender Security Policy

Cisco 2-, 5-, 8-, and 10-Port Gigabit Ethernet Shared Port Adapters, Version 2

Encryption in high-speed optical networks

Practical application of Quantum Key Distribution and wider security implications.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

UniGuard-V34. Cryptographic Module Security Policy

BreezeACCESS VL Security

SENETAS CERTIFIED HIGH-ASSURANCE NETWORK ENCRYPTION FOR GOVERNMENT

Huawei Technologies engaged Miercom to evaluate the S2700-EI

FIPS SECURITY POLICY FOR

Model 650 SafeNet Encryptor

Giga Lynx DATASHEET. DS-1029-F 1 of 5

Content and Purpose of This Guide... 1 User Management... 2

COMMON CRITERIA CERTIFICATION REPORT

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

EPON OLT PTF3004. Description: Features:

Hughes Network Systems, LLC Hughes Crypto Kernel Firmware Version: FIPS Non-Proprietary Security Policy

Connecting Securely to the Cloud

Contents. Configuring LLDP 2

Apex Lynx DATASHEET. DS-1030-E 1 of 5

Transcription:

1 UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

CN encryption devices are purpose built hardware appliances that have been designed and developed in Australia by Senetas Corporation since 1997. They secure data transmitted across Layer 2 networks. The Senetas CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ and the FIPS140-2 level 3 certifications); and has been deployed to protect sensitive data in thousands of locations in more than twenty-five countries. The Senetas CN platform is optimised to secure information transmitted over a diverse range of Layer 2 network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data speeds to 10 Gigabits per second (Gbps). The Senetas CN encryptor s latency and overhead are the lowest in the marketplace. Encryption occurs at the data link layer (Layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at Layer 2 solves many of the underlying problems of traditional Layer 3 encryption such as complexity, reduced performance and a lack of support for multiple traffic types. Senetas CN encryptors are fully autonomous and operate independently in point-to-point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection, the Senetas encryptors offer the most secure, resilient and highest performance method of securing sensitive voice, video and data. The remainder of this document focuses on the Senetas CN series Ethernet encryptors to describe the Senetas Layer 2 approach to securing critical sensitive information. 1 Senetas Layer 2 Encryption

PRODUCT ARCHITECTURE The Senetas CN encryptor is an in-line device that is located on the edge of a network between a local private network, and a remote public network. Senetas CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors are added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. FIGURE 1 ETHERNET MESH DEPLOYMENT The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-to-point, hub and spoke and fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: > > Encrypt payload of frame is encrypted according to the defined policy > > Discard drop the frame, no portion is transmitted > > By-pass transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be by-passed or discarded through the device (for example, by-pass core switch operation or maintenance frames) with policy resolution down to the ether-type level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at Layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. 2 Senetas Layer 2 Encryption

The Senetas CN high-speed encryptor series is developed with designed-in features necessary to maintain performance, flexibility and dependability. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: > > Automatic discovery of multicast/vlan encryption groups > > Automatic ageing/deletion of inactive groups > > Secure distribution and updates of keys to all members of multicast groups > > New members to securely join or leave the group at any time > > Fault tolerance to network outages and topology changes. FIGURE 2 DATA FLOW THROUGH THE ENCRYPTOR PERFORMANCE Encryption is implemented in dedicated silicon using a cut-through encryption architecture. This has the benefit that only a portion of the frame needs to be received before encryption and re-transmission of the frame can begin. This approach ensures very low latency and consistency (in the order of 7µS for a 1Gbps Ethernet encryptor) independent of frame size. This consistency is an important attribute in many business applications used. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The Senetas encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ether-type (0xFC0F). 3 Senetas Layer 2 Encryption

FIGURE 3 SENETAS INTERNAL ARCHITECTURE 4 Senetas Layer 2 Encryption

COMPATIBILITY The Senetas CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: > > All Ethernet frame formats > > MPLS shims (multiple nested) > > VLAN tags (multiple nested) > > 802.1P class of service priority KEY MANAGEMENT The encryption algorithm used in Senetas CN encryptors is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. TAMPER PROTECTION The Senetas CN series is manufactured in a tamper proof 19 steel case suitable for rack mounting. Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Additionally, more recent Senetas CN encryptors now include hardware design features that prevent physical interference with the hardware. FIGURE 4 SENETAS CN3000 REAR VIEW 5 Senetas Layer 2 Encryption

MANAGEMENT Senetas CN series encryptors are supplied with the management GVI, CM7. Previously known as CyberManager, CM7 is a simple to use encryptor local and remote management application. CM7 provides users with comprehensive and intuitive management functionality. Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to a Senetas CN series encryptor. The CM7 user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. SUMMARY CM7 is a Senetas developed tool that functions as a device manager and that will also act as a root Certificate Authority for a network of Senetas encryptors. CM7 provides private, authenticated access to encryptors to enable secure remote management. It is also used to remotely upgrade the Senetas encryptors firmware over the network. FIGURE 5 SENETAS CM7 MANAGEMENT SOFTWARE The CM7 encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the CM7 logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CM7. The Senetas CN encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. Copyright Senetas Corporation 2013 All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time. Rev. 01 6 Senetas Layer 2 Encryption

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback