2. Objectives <
Provide an overview of the Datacryptor Ethernet Layer 2
Introduce the new version 4.5 and describe what it offers
Describe what it does for customers and problems it solves
Explain how multipoint and MPLS options work in practice
Describe technical features and benefits of the product
Highlight value the product offers to the end users
Illustrate a representative user case and applied solution
Protecting Data in Transit
1
3. Overview <
Datacryptor Layer 2 Ethernet is a hardware encryption module that protects data in
transit- where it is most vulnerable to interception and alteration
Layer 2 encryption yields minimum overhead and frame expansion transit
Alternative Layer 3 encryption technologies significantly expand data packets
Fill up to 60% of bandwidth customer is buying from carrier – costing more money
Alternative Layer 3 encryption technologies can also introduce delays
Render latency-sensitive applications (voice, video, and multi-media) unusable
Layer 2 Ethernet encryption allows one to secure the data without having to buy more
bandwidth from carrier than what one actually need to sustain traffic flow
Layer 2 Ethernet encryption only introduces minimum latencies (microsecond)
Alternative Layer 3 encryption introduces sizeable latencies (milliseconds)
Protecting Data in Transit
Protects data and helps avoid possible devastating costs and embarrassments
associated with data breaches
Provide mechanism for complying with growing government and industry regulations
2
JA
4. Overview /2 <
What does this all mean?
Packet expansion resulting from encryption cost the customer money
Original Unencrypted Packet Encrypted Packet
IPSEC Encryption
Header Payload Header Payload
IPSec Overhead
100101001010 100101001010
Up to
Aggregation
60% Expansion per
(VoIP, Data, Multi-Media) Packet!
Datacryptor save bandwidth that they would otherwise have to buy
A simple analogy - protective packaging and shipping
Layer 3 $$$$$$$
Protecting Data in Transit
(IPSec)
Oversized Crate
Layer 2 $
(Ethernet)
Compact
Cost-Effective Box
3
5. What does the new product version offer? <
Datacryptor Ethernet Layer 2 Ver 4.5 is a common code upgrade
Expands features/functions of 100 Mbps, 1, and 10 Gbps models
Introduces secure multipoint encryption feature as a license option
Provides centralized automatic key generation, distribution, and
fully-meshed secure connectivity up to 200 nodes in a backbone
Key generation and distribution embedded in central-site encryptor
Delivers maximum encrypted throughput with minimum latency
Galois Counter Mode (GCM) cryptographic mode in multipoint
operation provides increased security through encryption and
frame authentication that facilitates protection against replay
Protecting Data in Transit
Multi Protocol Label Switching (MPLS)-awareness feature uses a
more flexible IP-based key distribution scheme and enables units
to be deployed both at the edge and within network infrastructures
4
6. What does the new product version offer? <
No hardware changes
Single Fixed
Tamper Label (3) AC (Universal)
and DC (-48V)
Units is rack-mountable
Power Options and has single AC or DC
power supply and fixed
RJ-45 host and network
copper interfaces
Models can interoperate
Serial Console with 1 and 10 Gbps
Fixed RJ-45 10/100BaseT
Host and Network Interfaces
10/100 Mbps Ethernet
Management Port
models in multipoint
configurations
Protecting Data in Transit
5
7. What does the new product version offer? /2 <
1 Gbps Model:
10/100 Mbps Ethernet
Dual Swappable
AC (Universal) or
No hardware changes
Serial Console Management Port DC (-48V) Power
Options
Units are rack-mountable
1 and 10 Gbps unit have
dual and redundant AC or
DC power supplies with
removable copper or optical
Removable SFP
Optical Interfaces SFP/XFP host and network
interface modules
10 Gbps Model: 10/100 Mbps Ethernet Dual Swappable
Management Port AC (Universal) or
Serial Console DC (-48V) Power
Options
All models can interoperate
in multipoint configurations
Protecting Data in Transit
Removable XFP
Optical Interfaces
6
8. What does the new product version do for you? <
Protects the confidentiality of sensitive
data where it is most vulnerable to
interception – in transit as it travels over
and otherwise unprotected shared public
network
Secure your network against data security
beaches and helps you fulfill government
and industry data protection regulations
Enable you to securely use more cost- 000101010
effective data transport services such as 101011001
000101101
carrier Layer 2 Ethernet and MPLS 110010101
Protecting Data in Transit
services without adversely impacting
operational performance
7
9. What problem are we solving? <
Threats to data security and fulfillment of government regulations
Enabling secure critical applications such as
■ Bulk data transport for disaster recovery and business continuity
■ Point-to-point wireless and microwave MAN connectivity
■ Distributed data center connectivity
Providing a secure cost-effective alternative to IPSec
Up to 60% overhead introduced by encryption over IP
Facilitating secure and efficient use of bandwidth
Protecting Data in Transit
8
10. Why Layer 2 encryption? <
In a study by the Rochester Institute of
Technology (RIT), it was determined that
Layer 2 encryption technologies provide
superior throughput and far lower
latency than IPSec VPNs operating at
Layer 3
The encryption of traffic at line speed,
addition of constant minimal latency
regardless of frame size, and minimal
frame loss make Layer 2 encryption a
highly desirable solution
Enterprises that need to secure point-to-
point or multipoint links are likely to
achieve better encryption performance
by shifting from traditional encryption
Protecting Data in Transit
with IPSec at Layer 3 encryption of
frame payloads at Layer 2
9
11. Typical deployment scenarios <
Secure datacenter backbone connectivity over distributed network
Secure business continuity and disaster recovery multi-site connection
Headquarters
Protecting Data in Transit
Satellite Office Data Centers
Layer 2 Ethernet or
MPLS Carrier Network
10
12. Ethernet Layer 2 products at a glance <
Ethernet Layer 2
Available Models
Speed Point-to-Point Multipoint
10/100 Mbps DCME-LL76x DCME-XL76x
1 Gbps DCGE-LG7Sx DCGE-XG7Sx
10 Gbps DCGE-LI7Sx DCGE-XI7Sx
AES (256-bit)
Transparent to line protocols
Multiple modes of operation
■ Bulk
■ Tunnel
■ Clear Header (Extended LAN/VLAN NS MPLS-aware)
RJ-45 interfaces (10/100M)
Protecting Data in Transit
Removable pluggable interfaces (1/10G)
Dual/redundant power supplies (1/10G)
Universal AC and -48V DC options
FIPS 140-2 Level 3
Common Criteria EAL 3
11
13. Associated software applications <
Element Manager
(Included)
Allows Customer to Securely
Configure and Monitor
Encryptors in Network
SNMP Manager
(Supports Customers’ System)
Allows Customer to Monitor Encryptors
in Network as Part of their Existing
Enterprise Management System
Certificate Manager
Protecting Data in Transit
(Ordered Separately)
Allows Customer to Generate Own
Seed Material Required for X.509
Certificates Used by Encryptors to
Exchange Keys
12
14. How does multipoint option work? <
Units can be configured to operate in point-to-point or multipoint mode
In point-to-point mode
Units are associated in discrete pairs-wise connections
Each takes equal part in establishing agreed Key Encryption Key (KEK)
Each takes equal part in establishing agreed Data Encryption Key (DEK)
Datacryptor can only encrypt/decrypt traffic from a single peer
In multipoint and MPLS mode
KEK agreement is unchanged
DEK is generated centrally by Key Management Application (KMA)
KMA is embedded within central-site encryption device
Protecting Data in Transit
A common DEK is used by all peer units in the backbone network
Any Datacryptor can securely connect to any other unit in the network
Up to 200 nodes supported (1 central-site and 19 9remotes peers)
Multiple keys maintained at all times to ensure uninterrupted traffic
IP-based key distribution allows compatibility with wider set of commercial
switching equipments used in MPLS network environments
13
15. How does multipoint option work? <
Multipoint option provides capability for Datacryptor 100 Mbps, 1, and 10
Gbps units to operate in fully-meshed configurations
Enables encryption and decryption of unicast, multicast, and broadcast
traffic
Ethernet Layer 2 Network
Datacryptor1
KEK uses same current process (DH) Datacryptor2
and
Common DEK generated by KMS and distributed to all
Central KMA Platform peers
DEK1
Datacryptor3
Protecting Data in Transit
Router DEK1
Step 1: DH exchange generates unique KEK with each Peer encryptor
Step 2: Single or multiple common DEKs generated and distributed (DEK1, Datacryptor4
DEK2, DEKx)
DEK1
Management
Application
Platform DatacryptorX
14
16. How does multipoint option work? <
The KMA
KMA application software generates, stores, and distributes key material to all
peer encryption units in the network
Application runs on a standard Datacryptor 100 Mbps, 1, or 10 Gbps unit
which also performs the function of central-site encryptor
KMA is initially programmed with the Media Access Control (MAC) address of
each of the peer Datacryptor units in the network
Peer units in network also programmed with MAC address of KMA unit when
commissioned
In multipoint/MPLS mode, IP-based key management is used instead of the
MAC addressing used for point-to-point and non-MPLS multipoint modes
Configuration of KMA and peers done through the Thales’ Element Manager
Protecting Data in Transit
(EM) Front Panel Viewer (FPV) application
FPV enables security manager to set general parameters for multipoint
operation including peer MAC addresses and common key generation and
distribution parameters such as frequency of KEKs and DEK lifetime settings
15
17. Features and benefits <
Feature Models with Benefit
Feature
New to this Release! 100M 1G 10G
Multipoint capability across all platforms Feature now available in all three Ethernet models
enabling any of these to interoperate in fully meshed Layer
2/MPLS environments. Key material generated and
distributed by application embedded with designated
central site encryptor.
GCM cryptography in multipoint modes Provides increased security through frame authentication
and replay protection. Allows out-of-sequence packets to
be properly processed through the encryptor when the unit
is operating in multipoint mode.
MPLS-awareness feature in multipoint Enable encryptors to properly secure data payloads
mode without hiding MPLS tags required for routing frames
through network infrastructure.
IP-based key management in Feature supplements MAC addressing used for point-to-
Protecting Data in Transit
multipoint/MPLS mode point and non-MPLS multipoint modes. Capability allows
compatibility with a wider set of commercial switching
equipments used in MPLS network environments.
Expanded number of peers Increase the number of available peer connections that any
one unit can achieve in a multipoint configuration to 200
simultaneous connections.
16
18. Value to end user <
Robust encryption of data in transit - where it is most vulnerable -
with minimum operational impact
Increased security through encryption and frame authentication
Saves up to 60% in bandwidth utilization and resulting data
transport costs
Easy installation into existing networks, quickly securing them and
saving you money
Helps you comply with new government and industry data security
regulations
Protects data confidentiality and integrity - so even if intercepted,
security cannot be breached
Protecting Data in Transit
17
19. Representative user case-customer requirements <
Customer is data center operator connecting remote customer sites
Example shows 18 data centers connected to central site (can be up to 199)
Each site must also securely connect with each other for actualization
Connection between sites use Layer 2 Ethernet MPLS carrier service
in a combination of speeds (100 Mbps, 1, and 10 Gbps)
Protecting Data in Transit
18
20. Representative user case-customer architecture <
Site 1
Site 2
Site 3
Data Centers
Site 4
Site 5
Shared Switched Vulnerability
Site 6
Vulnerability Ethernet Layer 2
Site 7 Central Site
or MPLS Carrier
Site 8 Network
Site 9
Site 10
Site 11
Site 12
Site 13
Protecting Data in Transit
Sensitive data flow over more distributed connections
Site 14 Increased exposure over vulnerable open environment
Site 15
Site 16
Site 17
Site 18
19
21. Representative user case-secured network <
Site 1
Primary and spare
Site 2
Site 3
Data Centers
Site 4
Site 5
Site 6 Shared Switched
x8 Central Site
Site 7 Ethernet Layer 2
Site 8 or MPLS Carrier
Site 9
Network
Element Manager
Site 10 and
Certificate Manager
Site 11
x5
Site 12
Site 13
Protecting Data in Transit
Site 14 Uses Datacryptor 10 Gbps Ethernet Layer 2 Multipoint encryptor as concentrator
Uses Datacryptor 100 Mbps, 1, and 10 Gbps Multipoint units at remote sites
Site 15
Any site can also connect securely with any other sites
x5 Site 16
All connections secured with AES-256 encryption
Site 17
Site 18
20
22. Use Case – Thales Solution <
Primary equipment
Quantity (8) 100 Mbps units
Quantity (5) 1 Gbps units + SFP modules
Quantity (6) 10 Gbps units + XFP modules
Quantity (1) CM
Quantity (1) EM/FPV (no cost)
Spares
Quantity (1) 10 Gbps unit + XFP modules
Installation
Protecting Data in Transit
Training
Maintenance options
21