NATIONAL RESEARCH AGENCY CASE STUDY - CCTV NETWORK SERVICES



Similar documents
ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

How To Protect Your Data With A Senior Security Encryptor From Being Hacked By A Hacker

Senetas CERTIFIED network data security - For commercial & industrial SENETAS CERTIFIED NETWORK DATA SECURITY - FOR COMMERCIAL & INDUSTRIAL

Senetas CERTIFIED network data security - For Government SENETAS CERTIFIED NETWORK DATA SECURITY - FOR GOVERNMENT

SENETAS CERTIFIED NETWORK DATA ENCRYPTION FOR COMMERCIAL AND INDUSTRIAL

SECURE AVAYA FABRIC CONNECT SOLUTIONS WITH SENETAS ETHERNET ENCRYPTORS

IN CONTROL AT LAYER 2: A TECTONIC SHIFT IN NETWORK SECURITY.

How To Secure My Data

Layer 2 Network Encryption where safety is not an optical illusion Marko Bobinac SafeNet PreSales Engineer

HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

LAYER 2 ENCRYPTORS METRO AND CARRIER ETHERNET METROS AND WIDE AREA NETWORKS ETHERNET ENCRYPTION FOR PRESENTS:

data Centres solutions-paper

Demonstrating the high performance and feature richness of the compact MX Series

Virtual Privacy vs. Real Security

High Speed Encryption Made in Germany

VXLAN: Scaling Data Center Capacity. White Paper

High speed Ethernet WAN: Is encryption compromising your network?

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

TrustNet Group Encryption

High Speed Ethernet WAN: Is encryption compromising your network?

WAN and VPN Solutions:

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

ethernet services for multi-site connectivity security, performance, ip transparency

ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Extending Networking to Fit the Cloud

Lecture 17 - Network Security

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Using & Offering Wholesale Ethernet Network and Operational Considerations

MPLS/IP VPN Services Market Update, United States

Ethernet, VLAN, Ethernet Carrier Grade

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Three Key Design Considerations of IP Video Surveillance Systems

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

The Wireless Network Road Trip

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Network Virtualization for Large-Scale Data Centers

WAN Data Link Protocols

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

- Hubs vs. Switches vs. Routers -

diversifeye Application Note

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Virtual Private LAN Service (VPLS)

Layer 2 Encryption Fortifying data transport

VLANs. Application Note

ISTANBUL. 1.1 MPLS overview. Alcatel Certified Business Network Specialist Part 2

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

ITL BULLETIN FOR JANUARY 2011

ENTERPRISE CONNECTIVITY

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

Wireless Encryption Protection

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

MPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Communication Networks. MAP-TELE 2011/12 José Ruela

How To Configure Voice Vlan On An Ip Phone

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

hp ProLiant network adapter teaming

MPLS VPN basics. E-Guide

L2 Box. Layer 2 Network encryption Verifiably secure, simple, fast.

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Simwood Carrier Ethernet

Lab VI Capturing and monitoring the network traffic

How To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan

EVALUATING NETWORKING TECHNOLOGIES

Virtual Private Networks

WHITEPAPER. VPLS for Any-to-Any Ethernet Connectivity: When Simplicity & Control Matter

Network Simulation Traffic, Paths and Impairment

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

WAN Optimization. Riverbed Steelhead Appliances

ADVANCED NETWORK CONFIGURATION GUIDE

Tunnel Routing. Preface. Challenge

LAYER 1 & LAYER 2 ENCRYPTION WHY: ONE SIZE DOES NOT FIT ALL

Layer 3 Network + Dedicated Internet Connectivity

Unified Services Routers

ETHERNET CONNECT. CONNECT YOUR BUSINESS WITH A FLEXIBLE, HIGH-PERFORMANCE NETWORK THAT S BUILT FOR RELIABILITY.

Metro Ethernet Services

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Virtual Private LAN Service (VPLS) Conformance and Performance Testing Sample Test Plans

UNDERSTANDING BUSINESS ETHERNET SERVICES

UNDERSTANDING BUSINESS ETHERNET SERVICES

TDM services over IP networks

VPN taxonomy. János Mohácsi NIIF/HUNGARNET tf-ngn meeting April 2005

Transcription:

NATIONAL RESEARCH AGENCY CASE STUDY - CCTV NWORK SERVICES

A Major CCTV network and surveilance services provider chose Senetas certified high-speed encryptors to protect European law enforcement CCTV network transmitted data. Senetas CN Series encryptors enable certified data security and integrity without compromising CCTV network s performance. OUR CUSTOMER AND ITS NEEDS Our customer is a specialist in delivering intelligent and secure surveillance information in challenging environments; they work with governments and multinational corporations on the most complex and critical surveillance challenges within the defence, law enforcement and critical infrastructure sectors. Working with a law enforcement organisation in Northern Europe the challenge was to design a secure video distribution infrastructure that would allow sensitive CCTV streams to be securely distributed across the whole country. CCTV technology is commonly used to help protect high-profile locations such as borders, airports, public buildings, military bases, oil and gas facilities, public gathering areas and streets, ports and public transportation systems. Demand for live video is being driven by many sectors and has led to a proliferation of network video traffic much of which is sensitive and must be securely and efficiently transmitted across communication infrastructures. Specifically, CCTV data requires protection against privacy breaches and input of rogue data and any unauthorised access that may adversely affect the CCTV data s integrity. These are particularly important issues to law enforcement. Importantly, efficient video distribution, which typically involves very large volumes of data) uses multicast transmission protocols to ensure that data is only sent to devices that have requested it.

Secure Cloud service Figure 1 CCTV Network A first solution was considered based on a regular Layer 3 routed data network with all traffic to be using the common IPSec security protocol. IPSec is an industry standard for securing data across Layer 3 routed data network environments it is optimised for use on best-effort networks such as the Internet. However, the IPSec protocol has several limitations, especially when high-performance delivery of the CCTV feeds is required maximum speed, low latency and minimum network overhead. There are also technical issues of complexity that arise when encrypting at Layer 3. Layer 3 IPSec encryption solutions typically require customers to increase the network bandwidth at considerable cost to help overcome (in part) some of these limitations. IPSec introduces a high additional per frame overhead that may generate significant additional network bandwidth and latency when compared to the un traffic.

Encryption at Layer 3 IP Packet IP Header IP Payload IP Packet IP Transport Mode IP Header ESP Header IP Payload ESP Trailer ESP Authentication Exposed all IP addresses IP Packet IP Sec Tunnel Mode New IP Header ESP Header IP Header IP Payload ESP Trailer ESP Authentication Huge overhead (58-73 bytes) Has to participate in network routing Figure 2 IPSec encryption overhead Also, securing multicast encryption at Layer 3 is problematic because the underlying network requires additional routing protocols to support multicast traffic such as the Protocol-Independent Multicast (PIM) routing family. These protocols provide an additional level of complexity when required to interoperate with IPSec encryption. In practice the issue is that much of multicast IP (Internet Protocol) traffic is therefore encapsulated using GRE (Generic Routing Encapsulation) tunnels to allow the simpler encryption of unicast traffic, albeit with far higher overheads. Consequently, when encrypting at Layer 3, the underlying data network and equipment typically need to be of a higher specification and cost; and data delivery is very inefficient for larger scale multicast deployments. SENAS PRODUCT SOLUTION With the limitations and disadvantages of transmitting multi-location CCTV data across Layer 3 network links clearly identified, an alternative network architecture was considered. The alternative network architecture proposed and ultimately preferred) was based on a pure Layer 2 WAN service with high-speed encryption at the Ethernet layer. The Senetas CN high-speed encryptors would not add overheads to the network data; offered near-zero latency and have no impact on other network assets. Importantly at Layer 2, the Senetas encryptors provide far simpler set and forget implementation and ongoing management making the solution mush more efficient technically and financially. The Senetas encryption solution is optimised for network services such as Metro Ethernet E-LAN, E-LINE or E-TREE, layer 2 MPLS (VPLS) or across simple point-to-point dark fibre and WDM (Wavelength Division Multiplexor) connections. Because Layer 2 encryption occurs at the data link layer on Ethernet networks, the Ethernet payload is but the Ethernet header (including MAC addresses and VLAN identifiers) is unmodified allowing transmission across service provider networks. The Ethernet payload fully encapsulates the IP header and IP payloads which are also providing the additional security benefit of hiding all IP addresses in the transmitted data. By taking advantage of the underlying Layer 2 network characteristics, encryption at Layer 2 may deliver 100% throughput even at speeds up to 10Gbps with little or no additional per frame overhead. And because encryption occurs at the data link layer, no special configuration or protocols are required to encrypt multicast or broadcast traffic.

Senetas Encryption at Layer 2 DA SA VID MAC Header (18 bytes) Payload Data (16-1500 bytes) CRC Checksum (4 bytes) Simple transport mode Zero overhead all IP headers protected DA SA VID IV Payload ICV CRC MAC Header (18 bytes) SecTag (8 bytes) Data (16-1500 bytes) Integrity Check Value (4-16 bytes) Checksum (4 bytes) Authenticated mode Integrity reply protection 24 bytes overhead worst case Figure 3 Ethernet encryption overhead To ensure efficient multicast data transmission across a Layer 2 network, protocols such as IGMP or MLD are often deployed between hosts and routers. Network switches may also perform IGMP monitoring to listen in on the IGMP conversation allowing them to maintain a map of links that need IP multicast streams. This mechanism maintains data network efficiency by only delivering frames where they are needed. By allowing IGMP/MLD traffic to be bypassed (when required) a Layer 2 encryptor allows the network to continue operating with maximum efficiency without requiring any underlying changes to its operation. Ultimately, for these reasons of encryption and data network performance and efficiencies, the CCTV services provider and its customer chose to implement Senetas high-performance Ethernet encryptors. The Senetas CN encryptors protect data transmitted from approximately one hundred end points throughout northern Europe from where video traffic is distributed. By reducing the data latency and network overheads and minimising technical complexities, the Senetas CN encryptors maximise the available bandwidth for the customer s use. The customer is able to significantly reduce its bandwidth and network management requirements and ultimately its costs. THE OUTCOME AND CUSTOMER BENEFITS Senetas CN series Ethernet encryptors provide certified information security; full line rate encryption for all data transmitted across point-point, hub and spoke and fully meshed data network environments. Network performance is maximised for delivery of multicast as well as unicast traffic. Simple, automatic zero-touch key management ensures that encryption scales efficiently to the largest deployments. Figure 4 CN6040 Ethernet encryptor

Real throughput for varying frame size and encryption mode 100% 90% Throughput 80% 70% Sen CTR Shim rate 8 Sen GCM Shim rate 32 IPSec ESP IPSec GRE_ESP 60% 50% 64 128 256 512 1024 1280 1518 Frame Size Figure 5 Layer 2 vs Layer 3 throughput The continuous and consistent near-zero latency performance is enabled by Senetas s unique technology purpose built hardware encryption engines which perform cut-through processing of network traffic at wire speed. Their tamper resistant chassis provides protection to all encryption keys and user credentials at government certified levels. Senetas CN encryptors hold all three leading international, independent testing authority certifications FIPS, Common Criteria and CAPS.

Figure 6 CM7 Management tool To assist the ease of implementation and encryptor management, Senetas CM7 remote management software is provided to all customers. Large numbers of encryptors are easily and securely managed using Senetas CM7. Using SNMPv3 this tool provides simple, secure remote management either out-ofband or in-band using the Ethernet port. Other important benefits to our customer include: > > FLEXIBILITY AND INTEROPERABILITY Senetas s unique Field Programmable Gate Array technology which enables customisation flexibility. All CN encryptors are interoperable providing an efficient longterm investment. > > ZERO IMPACT Senetas CN encryptors have no impact on other network assets and do not require any network changes during implementation. > > OUTSTANDING RELIABILITY Senetas encryptors provide 99.999% uptime in the most demanding 24/7 availability environments. Their defence-grade design and manufacture ensure peace of mind. > > FIELD UPGRADABILITY among the various CN encryptors, many have field replaceable and upgradeable components.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information