SlideShare une entreprise Scribd logo

Understanding senetas layer 2 encryption

S
Senetas

Understand how low latency network encryption at layer 2 operates.

Technologie
1  sur  8
Télécharger pour lire hors ligne
Fact Sheet SEN-112 Understanding Senetas layer 2 encryption Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
Understanding Senetas layer 2 encryption Introduction CN encryption devices are purpose built hardware appliances that have been developed in Australia by Senetas Corporation since 1997 and provide secure transport across layer 2 network services. The CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ accreditation and the FIPS140-2 level 3 certifications); and has been deployed to protect critical infrastructure in thousands of locations in more than thirty-five countries. The CN platform is optimised to secure information transmitted over a diverse range of network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data rates up to 10 Gigabits per second (Gbps). The CN series latency and overhead are lower than competing solutions available in the marketplace. Encryption occurs at the data link layer (layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at layer 2 solves many of the underlying problems of traditional layer 3 encryption such as complexity, performance and support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection the devices offer the most secure, resilient and highest performance method of securing sensitive voice, video or data. This remainder of this document focuses on the CN series Ethernet encryptor to describe the layer 2 approach to securing information. Product architecture The CN encryptor is an inline device that is located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors can be added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. __________________________________________________________________________________ Page 1
Understanding Senetas layer 2 encryption Figure 1 – Ethernet Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-point, hub and spoke or fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypass core switch operation or maintenance frames) with policy resolution down to the ethertype level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). __________________________________________________________________________________ Page 2
Understanding Senetas layer 2 encryption In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: • Automatic discovery of multicast/VLAN encryption groups • Automatic ageing/deletion of inactive groups • Secure distribution and updates of keys to all members of multicast groups • New members to securely join or leave the group at any time • Fault tolerance to network outages and topology changes Encrypted Header Decryption Decrypted Header Payload Payload Network Local Header Encrypted Encryption Header Decrypted Port Port Payload Payload Interface Interface Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using a cut-through encryption architecture; this has the benefit that only a portion of the frame needs to be received before encryption and re- transmission of the frame can begin. This approach ensures consistently low latency (in the order of 7uS for a 1Gbps Ethernet encryptor) independent of frame size. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. __________________________________________________________________________________ Page 3
Understanding Senetas layer 2 encryption Figure 3 - Internal Architecture __________________________________________________________________________________ Page 4
Understanding Senetas layer 2 encryption An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ethertype (0xFC0F). Compatibility The CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: all Ethernet frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. Tamper Protection The CN series is provided in a tamper proof 19” steel case suitable for rack mounting. __________________________________________________________________________________ Page 5
Understanding Senetas layer 2 encryption Figure 4 - CN3000 Rear View Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Management Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to the encryptor. The user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CypherManager. The encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. __________________________________________________________________________________ Page 6
Understanding Senetas layer 2 encryption Figure 5 - CypherManager CypherManager (CM) is a Senetas developed tool that functions as a device manager and that can also act as a root Certificate Authority for a network of encryptors. CypherManager provides private, authenticated access to encryptors to enable secure remote management. CypherManager is also used to remotely upgrade firmware in encryptors over the network when available. __________________________________________________________________________________ Page 7

Recommandé

IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudPriyanka Aash
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Tutorial on SDN and OpenFlow
Tutorial on SDN and OpenFlowTutorial on SDN and OpenFlow
Tutorial on SDN and OpenFlowKingston Smiler
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
What is a Network Hypervisor?
What is a Network Hypervisor?What is a Network Hypervisor?
What is a Network Hypervisor?ADVA
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
 
Software Define Networking (SDN)
Software Define Networking (SDN)Software Define Networking (SDN)
Software Define Networking (SDN)Pradeep Kumar TS
 

Recommandé

IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudPriyanka Aash
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Tutorial on SDN and OpenFlow
Tutorial on SDN and OpenFlowTutorial on SDN and OpenFlow
Tutorial on SDN and OpenFlowKingston Smiler
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
What is a Network Hypervisor?
What is a Network Hypervisor?What is a Network Hypervisor?
What is a Network Hypervisor?ADVA
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
 
Software Define Networking (SDN)
Software Define Networking (SDN)Software Define Networking (SDN)
Software Define Networking (SDN)Pradeep Kumar TS
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3Siddhartha Rao
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)akruthi k
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP Netronome
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Neutron qos overview
Neutron qos overviewNeutron qos overview
Neutron qos overviewSławomir Kapłoński
 
LevelDB 간단한 소개
LevelDB 간단한 소개LevelDB 간단한 소개
LevelDB 간단한 소개종빈 오
 
Trill and Datacenter Alternatives
Trill and Datacenter AlternativesTrill and Datacenter Alternatives
Trill and Datacenter AlternativesAricent
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falcoLorenzo David
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis Cysinfo Cyber Security Community
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201Manabu Ori
 
OpenDaylight app development tutorial
OpenDaylight app development tutorialOpenDaylight app development tutorial
OpenDaylight app development tutorialSDN Hub
 
Solaris Linux Performance, Tools and Tuning
Solaris Linux Performance, Tools and TuningSolaris Linux Performance, Tools and Tuning
Solaris Linux Performance, Tools and TuningAdrian Cockcroft
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foremanszadok
 
Kriptoloji kriptolama teknikleri
Kriptoloji kriptolama teknikleriKriptoloji kriptolama teknikleri
Kriptoloji kriptolama teknikleriselimcihan
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Eugene Sushchenko
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationRishabh Dangwal
 

Contenu connexe

Tendances

iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)akruthi k
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
LevelDB 간단한 소개
LevelDB 간단한 소개LevelDB 간단한 소개
LevelDB 간단한 소개종빈 오
 
Trill and Datacenter Alternatives
Trill and Datacenter AlternativesTrill and Datacenter Alternatives
Trill and Datacenter AlternativesAricent
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falcoLorenzo David
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201Manabu Ori
 
OpenDaylight app development tutorial
OpenDaylight app development tutorialOpenDaylight app development tutorial
OpenDaylight app development tutorialSDN Hub
 
Solaris Linux Performance, Tools and Tuning
Solaris Linux Performance, Tools and TuningSolaris Linux Performance, Tools and Tuning
Solaris Linux Performance, Tools and TuningAdrian Cockcroft
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foremanszadok
 
Kriptoloji kriptolama teknikleri
Kriptoloji kriptolama teknikleriKriptoloji kriptolama teknikleri
Kriptoloji kriptolama teknikleriselimcihan
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 

Tendances (20)

TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
Neutron qos overview
Neutron qos overviewNeutron qos overview
Neutron qos overview
 
LevelDB 간단한 소개
LevelDB 간단한 소개LevelDB 간단한 소개
LevelDB 간단한 소개
 
Trill and Datacenter Alternatives
Trill and Datacenter AlternativesTrill and Datacenter Alternatives
Trill and Datacenter Alternatives
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falco
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201
 
OpenDaylight app development tutorial
OpenDaylight app development tutorialOpenDaylight app development tutorial
OpenDaylight app development tutorial
 
Solaris Linux Performance, Tools and Tuning
Solaris Linux Performance, Tools and TuningSolaris Linux Performance, Tools and Tuning
Solaris Linux Performance, Tools and Tuning
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foreman
 
Kriptoloji kriptolama teknikleri
Kriptoloji kriptolama teknikleriKriptoloji kriptolama teknikleri
Kriptoloji kriptolama teknikleri
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)
 

En vedette

Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Eugene Sushchenko
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationRishabh Dangwal
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™ADVA
 
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching BenefitsOFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching BenefitsInfinera
 
Introduction to Optical Backbone Networks
Introduction to Optical Backbone NetworksIntroduction to Optical Backbone Networks
Introduction to Optical Backbone NetworksAnuradha Udunuwara
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsADVA
 
dwdm
dwdm dwdm
dwdmg d
 
DWDM Presentation
DWDM PresentationDWDM Presentation
DWDM Presentationayodejieasy
 
OTN for Beginners
OTN for BeginnersOTN for Beginners
OTN for BeginnersMapYourTech
 

En vedette (15)

Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigation
 
Transport Solutions
Transport SolutionsTransport Solutions
Transport Solutions
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™
 
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching BenefitsOFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
 
Guide otn ang
Guide otn angGuide otn ang
Guide otn ang
 
Next Generation OTN
Next Generation OTNNext Generation OTN
Next Generation OTN
 
Introduction to Optical Backbone Networks
Introduction to Optical Backbone NetworksIntroduction to Optical Backbone Networks
Introduction to Optical Backbone Networks
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
 
Optical Transport Network
Optical Transport NetworkOptical Transport Network
Optical Transport Network
 
dwdm
dwdm dwdm
dwdm
 
WDM Basics
WDM BasicsWDM Basics
WDM Basics
 
DWDM Presentation
DWDM PresentationDWDM Presentation
DWDM Presentation
 
WDM principles
WDM principlesWDM principles
WDM principles
 
OTN for Beginners
OTN for BeginnersOTN for Beginners
OTN for Beginners
 

Similaire à Understanding senetas layer 2 encryption

Sen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmissionSen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmissionSenetas
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd Iaetsd
 
Effective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor NetworksEffective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor NetworksvishnuRajan20
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase
 
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEEMEMTECHSTUDENTPROJECTS
 
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...IEEEFINALSEMSTUDENTSPROJECTS
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET Journal
 
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...chennaijp
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestSandeep Patil
 
Data center & wireless lan
Data center & wireless lanData center & wireless lan
Data center & wireless lanjency j
 
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...chennaijp
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answersccna4discovery
 
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...IRJET Journal
 
Megaplex nerc-cip-compliance
Megaplex nerc-cip-complianceMegaplex nerc-cip-compliance
Megaplex nerc-cip-complianceNir Cohen
 

Similaire à Understanding senetas layer 2 encryption (20)

Sen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmissionSen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmission
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential Mode
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure data
 
Effective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor NetworksEffective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor Networks
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
World Connect Training
World Connect TrainingWorld Connect Training
World Connect Training
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server Brochure
 
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
 
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
 
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
 
Allied Telesis IE510-28GSX
Allied Telesis IE510-28GSXAllied Telesis IE510-28GSX
Allied Telesis IE510-28GSX
 
Data center & wireless lan
Data center & wireless lanData center & wireless lan
Data center & wireless lan
 
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
 
TAM new report
TAM new reportTAM new report
TAM new report
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answers
 
V P N
V P NV P N
V P N
 
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
 
Megaplex nerc-cip-compliance
Megaplex nerc-cip-complianceMegaplex nerc-cip-compliance
Megaplex nerc-cip-compliance
 

Dernier

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Dernier (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Understanding senetas layer 2 encryption

  • 1. Fact Sheet SEN-112 Understanding Senetas layer 2 encryption Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
  • 2. Understanding Senetas layer 2 encryption Introduction CN encryption devices are purpose built hardware appliances that have been developed in Australia by Senetas Corporation since 1997 and provide secure transport across layer 2 network services. The CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ accreditation and the FIPS140-2 level 3 certifications); and has been deployed to protect critical infrastructure in thousands of locations in more than thirty-five countries. The CN platform is optimised to secure information transmitted over a diverse range of network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data rates up to 10 Gigabits per second (Gbps). The CN series latency and overhead are lower than competing solutions available in the marketplace. Encryption occurs at the data link layer (layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at layer 2 solves many of the underlying problems of traditional layer 3 encryption such as complexity, performance and support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection the devices offer the most secure, resilient and highest performance method of securing sensitive voice, video or data. This remainder of this document focuses on the CN series Ethernet encryptor to describe the layer 2 approach to securing information. Product architecture The CN encryptor is an inline device that is located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors can be added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. __________________________________________________________________________________ Page 1
  • 3. Understanding Senetas layer 2 encryption Figure 1 – Ethernet Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-point, hub and spoke or fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypass core switch operation or maintenance frames) with policy resolution down to the ethertype level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). __________________________________________________________________________________ Page 2
  • 4. Understanding Senetas layer 2 encryption In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: • Automatic discovery of multicast/VLAN encryption groups • Automatic ageing/deletion of inactive groups • Secure distribution and updates of keys to all members of multicast groups • New members to securely join or leave the group at any time • Fault tolerance to network outages and topology changes Encrypted Header Decryption Decrypted Header Payload Payload Network Local Header Encrypted Encryption Header Decrypted Port Port Payload Payload Interface Interface Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using a cut-through encryption architecture; this has the benefit that only a portion of the frame needs to be received before encryption and re- transmission of the frame can begin. This approach ensures consistently low latency (in the order of 7uS for a 1Gbps Ethernet encryptor) independent of frame size. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. __________________________________________________________________________________ Page 3
  • 5. Understanding Senetas layer 2 encryption Figure 3 - Internal Architecture __________________________________________________________________________________ Page 4
  • 6. Understanding Senetas layer 2 encryption An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ethertype (0xFC0F). Compatibility The CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: all Ethernet frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. Tamper Protection The CN series is provided in a tamper proof 19” steel case suitable for rack mounting. __________________________________________________________________________________ Page 5
  • 7. Understanding Senetas layer 2 encryption Figure 4 - CN3000 Rear View Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Management Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to the encryptor. The user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CypherManager. The encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. __________________________________________________________________________________ Page 6
  • 8. Understanding Senetas layer 2 encryption Figure 5 - CypherManager CypherManager (CM) is a Senetas developed tool that functions as a device manager and that can also act as a root Certificate Authority for a network of encryptors. CypherManager provides private, authenticated access to encryptors to enable secure remote management. CypherManager is also used to remotely upgrade firmware in encryptors over the network when available. __________________________________________________________________________________ Page 7