Understanding Layer 2 Encryption

Similar documents
UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

VERSATILE ENTRY-LEVEL

CN9000 Series 100Gbps Encryptors

ADVANCED DEFENCE-GRADE

SENETAS ENCRYPTION KEY MANAGEMENT STATE-OF-THE-ART KEY MANAGEMENT FOR ROBUST NETWORK SECURITY

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

INTERNATIONAL LAW ENFORCEMENT HD CCTV NETWORK

HIGH-ASSURANCE FLEXIBLE 1-10GBPS ENCRYPTION CN6000 SERIES

Datacryptor Key Features. Page 1 of 5. Document Number 40676

AVAYA FABRIC CONNECT SOLUTION WITH SENETAS ETHERNET ENCRYPTORS

Virtualized Network Services SDN solution for enterprises

Virtualized Network Services SDN solution for service providers

Overview. SSL Cryptography Overview CHAPTER 1

Cisco 2-, 5-, 8-, and 10-Port Gigabit Ethernet Shared Port Adapters, Version 2

Gigabit Managed Ethernet Switch

MASERGY S MANAGED SD-WAN

Who s Protecting Your Keys? August 2018

Managing Site-to-Site VPNs

National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Managing Site-to-Site VPNs: The Basics

Features. HDX WAN optimization. QoS

Connecting Securely to the Cloud

TRAFFIC FLOW SECURITY USING SENETAS HIGH- ASSURANCE ENCRYPTORS TECHNICAL PAPER

Managing Site-to-Site VPNs: The Basics

Secure Connectivity for Multi-Site Organisations

Model 650 SafeNet Encryptor

The SafeNet Security System Version 3 Overview

Observer Probe Family

Designed for Railway application and fully compliant with the requirement of EN50155/EN standard

CoSign Hardware version 7.0 Firmware version 5.2

Apex Orion DATASHEET. DS-1026-E 1 of 5

100GBPS, ULTRA-FAST, CERTIFIED HIGH- ASSURANCE NETWORK ENCRYPTION FOR MEGA DATA

Creating Trust in a Highly Mobile World

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

Datacryptor AP Layer 3 IP Encryptor

How does your organization manage Privileged Users?

This Security Policy describes how this module complies with the eleven sections of the Standard:

SENETAS CERTIFIED HIGH-ASSURANCE NETWORK ENCRYPTION FOR GOVERNMENT

Cisco Group Encrypted Transport VPN

RGS-7244GP / RGS-7244GP-E

W H I T E P A P E R : O P E N. V P N C L O U D. Implementing A Secure OpenVPN Cloud

SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.9

Portable Wireless Mesh Networks: Competitive Differentiation

Abstract of the Book

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

TOLLY. No March Fortress Technologies, Inc.

Unified Services Routers

Encryption in high-speed optical networks

1Industrial Ethernet Switch

NGFW Security Management Center

Encrypting Critical Data In Databases. An Overview of the Database Integration Process

Next Generation Hybrid Network Visibility Solution

New Product: Cisco Catalyst 2950 Series Fast Ethernet Desktop Switches

ALCATEL Edge Services Router

FGS-2616X L2+ Managed GbE Fiber Switches

Advanced iscsi Management April, 2008

Configuring Web Cache Services By Using WCCP

Virtual KeySecure for AWS

Scalability Considerations

Support O-Ring (recovery time < 10ms over 250 units of connection) and MSTP(RSTP/STP compatible) for Ethernet

Gigabit Managed Ethernet Switch

Gigabit Managed Ethernet Switch

Giga Lynx DATASHEET. DS-1029-F 1 of 5

Apex Lynx DATASHEET. DS-1030-E 1 of 5

IBM TotalStorage SAN Switch M12

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

Cisco Desktop Collaboration Experience DX650 Security Overview

Cisco SAN Analytics and SAN Telemetry Streaming

TGS-9120-M12 Series. Features. Design for Rugged Excellence V0.3. EN port managed Gigabit Ethernet switch with

Gigabit EasySmart Switches

Seven Criteria for a Sound Investment in WAN Optimization

WIND RIVER TITANIUM CLOUD FOR TELECOMMUNICATIONS

Giga Orion DATASHEET. DS-1025-E 1 of 5

SOLO NETWORK (11) (21) (31) (41) (48) (51) (61)

1 Mojo S-2000 Series Managed PoE Switches

Datasheet. Managed Gigabit Fiber Switch. Model: ES-12F. Non-Blocking Throughput Switching. High Performance and Low Latency

VirtualWisdom SAN Performance Probe Family Models: ProbeFC8-HD, ProbeFC8-HD48, and ProbeFC16-24

Hosts have the top level of webinar control and can grant and revoke various privileges for participants.

EX Lite L3 Hardened Managed 24-port Gigabit and 4-port 1G/10G SFP+ Ethernet Switch SFP

MA5400 IP Video Gateway. Introduction. Summary of Features

4 PWR XL: Catalyst 3524 PWR XL Stackable 10/100 Ethernet

1Industrial Ethernet Switch

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Huawei Technologies engaged Miercom to evaluate the S2700-EI

OPTera Metro 8000 Services Switch

Cisco Nexus Data Broker

RGS-7244GP / RGS-7244GP-E

VISION ONE: SECURITY WITHOUT SACRIFICE

Compare Security Analytics Solutions

Unity EdgeConnect SP SD-WAN Solution

24-Port: 20 x (100/1000M) SFP + 4 x Combo (10/100/1000T or 100/1000M SFP)

NSG50/100/200 Nebula Cloud Managed Security Gateway

Innovative Security Solutions For Protecting Data in Motion

An Enterprise Guide to Understanding Key Management

OpenWay by Itron Security Overview

Data collected by Trend Micro is subject to the conditions stated in the Trend Micro Privacy Policy:

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Transcription:

Understanding Layer 2 Encryption TECHNICAL WHITEPAPER Benefits of Layer 2 Encryption Lowest cost of ownership Better bandwith efficiency (up to 50%) Minimal ongoing maintenance routing updates transparent to encryption Lowest cost solution for aggregation of many sites Maximum performance Low protocol overhead Low latency Eliminates GRE and complex QoS schemes Enterprise scalability Fast, reliable network integration Simple architecture scales to thousands of devices Layer 3 transparent all Layer 3 protocols supported (IPv4, IPv6, and legacy) Introduction SafeNet CN high speed network data encryption devices are purpose built hardware appliances that secure data transmitted across Layer 2 networks. The CN series platforms provide highly secure, full line rate transparent encryption for data moving across both dark Fibre and metro, or wide area networks in point-point, hub & spoke, or any meshed environment. Providing the world s only triple-certified encryptors of their type - Common Criteria, FIPS and CAPS (UK) certifications*, the CN series has been deployed to protect sensitive data in thousands of locations in more than twenty-five countries. The CN platform is optimized to secure information transmitted over a diverse range of Layer 2 network protocols including:, Synchronous Optical Network (SONET) and networks at data speeds up to 10 Gigabits per second (Gbps). The CN series encryptors latency and overhead are the lowest in the marketplace. Encryption occurs at the data link Layer (Layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at Layer 2 solves many of the underlying problems of traditional Layer 3 encryption such as complexity, reduced performance and a lack of support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection, these encryptors offer the most secure, resilient and highest performance method of securing sensitive voice, video and data. The remainder of this document focuses on the CN series encryptors to describe the SafeNet Layer 2 approach to protecting critical sensitive information. *For details about specific models, please contact SafeNet Understanding Layer 2 Encryption Technical Whitepaper 1

SafeNet Layer 2 encryption solutions deliver: Maximum performance Strongest available protection Certified to FIPS 140 2 level 3, Common Criteria and CAPS (UK)* The least administrative overhead The lowest total cost of ownership Product Architecture CN series encryptors are in-line devices located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors are added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1 10 Gbps 10 Mbps Hub Router CN Series CS Series Router Hub *Approved models 100 Mbps Network Hub Router CN Series 1Gbps 1 Gbps CN Series Router Hub Router CN Series Figure 1 Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-to-point, hub and spoke and fully meshed environments. In a meshed environment, each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Alowable policy actions are: Encrypt payload of frame is encrypted according to the defined policy Discard drop the frame, no portion is transmitted Bypass transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypassing core switch operation or maintenance frames) with policy resolution down to the ether-type level. The transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at Layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. Understanding Layer 2 Encryption Technical Whitepaper 2

Key Management The SafeNet group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. The CN high-speed encryptor series is developed with designed-in features necessary to maximize performance, flexibility and dependability. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: Automatic discovery of multicast/vlan encryption groups Automatic ageing/deletion of inactive groups Secure distribution and updates of keys to all members of multicast groups New members to securely join or leave the group at any time Fault tolerance to network outages and topology changes Encrypted Decryption Decrypted Encrypted Network Port Encryption Local Port Decrypted Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using cut-through encryption architecture. This has the benefit that only a portion of the frame needs to be received before encryption and re-transmission of the frame can begin. This approach ensures both very low latency and consistently low latency (in the order of 7uS for a 1 Gbps encryptor) independent of frame size. This consistency is an important attribute in many business applications. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronized at both ends. The CN encryptors are capable of full duplex, full line rate operation independent of packet size or higher Layer protocol. Understanding Layer 2 Encryption Technical Whitepaper 3

connection to private network Fibre Channel High Speed Local Subsystems Physical Fibre Channel High Speed Network Subsystems Physical connection to public network High-Speed Crypto Subsystem /FC or Encryption Engine Data Plane Control Plane /FC or Decryption Engine Control Plane Microprocessor RS232 Status & Display Management Subsystem Keypad USB Socket AES/DES RSA Software Software Crypto Subsystem Real Time Clock Noise Source SNMPv3 API Graphical User Management Figure 3 Internal Architecture An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the SafeNet registered ether-type (0xFC0F). Understanding Layer 2 Encryption Technical Whitepaper 4

Compatibility The SafeNet CN encryptors have proven interoperability with switches from all the well-known vendors and provide transparent support for: All frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used in CN encryptors is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management platforms. Tamper Protection The CN series is manufactured in a tamper proof 19 steel case suitable for rack mounting Figure 4 6100 rear view Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Additionally, more recent encryptors now include hardware design features that prevent physical interference with the hardware. Management CN series encryptors are supplied with two options for management. Security Management Center (SMC ) is an enterprise manager, whereas CM7 (CypherManager) is an element manager more suited for small deployments Both offer a simple to use local and remote encryptor management application that provides users with comprehensive and intuitive management functionality. Understanding Layer 2 Encryption Technical Whitepaper 5

Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to a CN series encryptor. Various privilege levels and different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to independent trap handlers (e.g. OpenView, NetView) as well as being received by SMC/CM7. The CN encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. maximum of 509 active connections for a standard frame format. The management platform not only functions as a device manager but also as a root Certificate Authority for a network of SafeNet CN encryptors. The management platforms provide private, authenticated access to encryptors to enable secure remote management. They can also be used to remotely upgrade the encryptors firmware over the network. About SafeNet, Inc. Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet s data-centric approach focuses on the protection of high value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected 2013 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-12.02.13 Understanding Layer 2 Encryption Technical Whitepaper 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback