ETHERNET ENCRYPTION MODES TECHNICAL-PAPER



Similar documents
SECURE AVAYA FABRIC CONNECT SOLUTIONS WITH SENETAS ETHERNET ENCRYPTORS

NATIONAL RESEARCH AGENCY CASE STUDY - CCTV NETWORK SERVICES

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

THE DATA PROTECTION COMPANY HIGH EFFICIENCY SWITCHABLE CERTIFIED ENCRYPTION UP TO 10 GBPS CN6000 SERIES

Layer 2 Network Encryption where safety is not an optical illusion Marko Bobinac SafeNet PreSales Engineer

Senetas CERTIFIED network data security - For Government SENETAS CERTIFIED NETWORK DATA SECURITY - FOR GOVERNMENT

Senetas CERTIFIED network data security - For commercial & industrial SENETAS CERTIFIED NETWORK DATA SECURITY - FOR COMMERCIAL & INDUSTRIAL

SENETAS CERTIFIED NETWORK DATA ENCRYPTION FOR COMMERCIAL AND INDUSTRIAL

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

Virtual Private LAN Service (VPLS) Conformance and Performance Testing Sample Test Plans

L2 Box. Layer 2 Network encryption Verifiably secure, simple, fast.

VXLAN: Scaling Data Center Capacity. White Paper

What is VLAN Routing?

HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

hp ProLiant network adapter teaming

Using & Offering Wholesale Ethernet Network and Operational Considerations

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

Exhibit n.2: The layers of a hierarchical network

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

High speed Ethernet WAN: Is encryption compromising your network?

Advanced VSAT Solutions Bridge Point-to-Multipoint (BPM) Overview

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

ethernet services for multi-site connectivity security, performance, ip transparency

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Fibre Channel over Ethernet in the Data Center: An Introduction

Application Note Gigabit Ethernet Port Modes

Switching in an Enterprise Network

How To Switch In Sonicos Enhanced (Sonicwall) On A 2400Mmi 2400Mm2 (Solarwall Nametra) (Soulwall 2400Mm1) (Network) (

Cisco Which VPN Solution is Right for You?

High Speed Encryption Made in Germany

How To Secure My Data

Enterprise Business Products 2014

diversifeye Application Note

> Technical Configuration Guide for Microsoft Network Load Balancing. Ethernet Switch and Ethernet Routing Switch Engineering

UNDERSTANDING BUSINESS ETHERNET SERVICES

Technical Specification MEF 6.1. Ethernet Services Definitions - Phase 2. April, 2008

Layer 3 Network + Dedicated Internet Connectivity

UNDERSTANDING BUSINESS ETHERNET SERVICES

Site to Site Virtual Private Networks (VPNs):

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Testing Edge Services: VPLS over MPLS

Provider Backbone Transport

IP/MPLS-Based VPNs Layer-3 vs. Layer-2

Virtual Privacy vs. Real Security

MPX100 Intelligent Ethernet Test Probe

APPLICATION NOTE 211 MPLS BASICS AND TESTING NEEDS. Label Switching vs. Traditional Routing

High Speed Ethernet WAN: Is encryption compromising your network?

TrustNet Group Encryption

CMA5000 SPECIFICATIONS Gigabit Ethernet Module

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

VLANs. Application Note

VPLS Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Data Communication and Computer Network

Vocus Layer 2 Ethernet Services

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

Preparing Your IP Network for High Definition Video Conferencing

APPLICATION NOTE 210 PROVIDER BACKBONE BRIDGE WITH TRAFFIC ENGINEERING: A CARRIER ETHERNET TECHNOLOGY OVERVIEW

VLAN for DekTec Network Adapters

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

An Overview of ZigBee Networks

Computer Networks Vs. Distributed Systems

Architecture of distributed network processors: specifics of application in information security systems

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Lecture 17 - Network Security

AAPT Business Ethernet (e-line & e-lan)

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

SDN CENTRALIZED NETWORK COMMAND AND CONTROL

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

MPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs

LAN Switching Computer Networking. Switched Network Advantages. Hubs (more) Hubs. Bridges/Switches, , PPP. Interconnecting LANs

Communication Networks. MAP-TELE 2011/12 José Ruela

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

QoS Switching. Two Related Areas to Cover (1) Switched IP Forwarding (2) 802.1Q (Virtual LANs) and 802.1p (GARP/Priorities)

Virtual Private LAN Service

Metro Ethernet Services

Provider Link State Bridging (PLSB)

- Multiprotocol Label Switching -

How To Configure Voice Vlan On An Ip Phone

VLAN and QinQ Technology White Paper

Gigabit Ethernet MAC. (1000 Mbps Ethernet MAC core with FIFO interface) PRODUCT BRIEF

Using High Availability Technologies Lesson 12

Portable Wireless Mesh Networks: Competitive Differentiation

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

LAN Switching and VLANs

Objectives. The Role of Redundancy in a Switched Network. Layer 2 Loops. Broadcast Storms. More problems with Layer 2 loops

Carrier Grade Ethernet. Ethernet in service provider networks, MAN/WAN

Welcome. People Power Partnership PROFIdag 2013 Peter Van Passen System Application Manager HARTING nv 1/22

Fundamentals of MPLS for Broadcast Applications

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Overview of Routing between Virtual LANs

Data Link Protocols. TCP/IP Suite and OSI Reference Model

A Guide to Simple IP Camera Deployment Using ZyXEL Bandwidth Solutions

IP SAN Best Practices

CHAPTER 10 LAN REDUNDANCY. Scaling Networks

CCT vs. CCENT Skill Set Comparison

Carrier Ethernet: New Game Plan for Media Converters

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

Transcription:

1 ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

The CN series encryption platform is designed to secure information transmitted over a number of network protocols. The CN series encryptors secure Ethernet networks at data rates up to 10 Gigabits per second (Gbps). Senetas CN encryptors operate at the data link layer (Layer 2) and provide confidentiality by encrypting the payload of received network traffic whilst leaving the protocol header in the clear so that the frame is sent through the network as intended. Information is encrypted using the AES encryption algorithm with a key size of 256 bits. The AES algorithm operates in either cipher feedback (CFB) or counter (CTR) mode, depending on the interface and network speed. Senetas encryption is implemented in firmware using field programmable gate array (FPGA) technology. Senetas uses FPGA technology to enable maximum customisation flexibility to best meet customers network operations needs. The Senetas CN series is developed and manufactured in Australia by Senetas Corporation. It is a mature product that is widely used in government and commercial networks around the world including the US Defence Department. The CN series has achieved accreditations for Common Criteria EAL4+ accreditation, FIPS140-2 level 3 and CAPS baseline certification. ETHERNET ENCRYPTION The Senetas CN series supports Ethernet encryption at speeds from 10Mbps to 10Gbps, with near-zero latency (approx 5µs at 10Gbps) due to the use of a cut-through frame processing architecture and FPGA based hardware implementation. The platform is suitable for use in point-topoint, hub and spoke and fully meshed topologies. The encryptor can encrypt unicast, multicast and broadcast frames and supports over five hundred simultaneous encrypted connections to other devices. Confidentiality of the Ethernet frame is provided by encrypting the payload using the AES algorithm with 256-bit keys in either CFB or CTR mode. The Ethernet frame header is unchanged, which enables switching of the frame through an Ethernet network, MPLS and VLAN header fields can be by-passed or encrypted as required to suit the network. Public key cryptography and X.509 certificates are used to provide a fully automated key management system with fast connection establishment and regular key changes. Flexible policy options allow for any combination of encrypted or unencrypted virtual circuits to be configured up to a maximum of 512 active connections. Each encrypted connection uses unique encryption keys. 1

ENCRYPTION MODES The Senetas CN series Ethernet encryptors operate in one of several modes the choice of mode depends on the network topology and the required functionality. In all modes secure authenticated connections are automatically established across the network between devices, thus minimising user configuration requirements. After connections have been established keys are updated automatically at a configurable rate between one and sixty minutes. Line mode Line mode is used to encrypt traffic between a pair of devices across a point-to-point connection on either a dark fibre or service provider Layer 2 link. In line mode traffic is encrypted independently of the frame s MAC address or VLAN ID. Additional policy control allows traffic to be selectively encrypted, by-passed or discarded according to the frame s Ethertype protocol and address type (ie unicast, multicast, or broadcast). Line mode is the most optimum mode to use when: > > Securing a point-to-point connection between two locations across dark fibre Multipoint MAC mode MAC mode is used to encrypt traffic among two or more devices connected in either a mesh or hub and spoke topology. In MAC mode an encryptor can support up to 512 (model dependent) concurrent encrypted connections. The remote unicast MAC address in each received frame is parsed to determine the connection (and hence the encryption key) to be used. Selective encryption policy can also be applied per Ethertype and address type, as in line mode of operation. MAC mode provides automatic discovery of and cryptographic separation of connections. MAC mode is the most appropriate mode to use when: > > Multipoint operation is required and multiple VLANs are not in use on the network 2

Multipoint VLAN mode VLAN mode is also used to encrypt traffic among two or more devices connected in either a mesh or hub and spoke topology. The principal difference between MAC mode and VLAN mode is that in VLAN mode, the encryption policy is tied to the VLAN IDs being used on the network NOT the MAC addresses of end points. For each VLAN in use, a group encryption key is created and shared between all encryptors passing traffic on that VLAN. The group key scheme allows: > > Automatic discovery of VLAN group membership > > Secure distribution of keys to all members of the group > > New members to securely join or leave the group at any time > > Fault tolerance to network outages and topology changes Additionally, each VLAN connection can be associated with a separate X.509 certificate that is used for authenticating traffic on that connection. This feature can be used to provide separate trust domains in the network (e.g. if traffic on each VLAN comes from different customers) by associating each virtual LAN connection with a different certificate authority. VLAN mode is the most appropriate mode to use when: > > Multiple VLANs are in use > > Multicast as well as unicast traffic is present > > Cryptographic separation between VLANs is required > > The network is observing QOS markings or reordering frames between encryptors In VLAN mode IDs are learnt by the encryptor and connections automatically established on demand for each virtual LAN. A separate group encryption key is used for each ID and allows unicast, multicast and broadcast traffic to be secured on the connection. To support Q in Q (or stacked) topologies it is possible to define connections based on inner and/or outer VLAN identifiers. Selective encryption policy can also be applied per Ethertype and address type as in line and MAC modes of operation. 3

The following scenarios are supported in VLAN mode: STANDARD VLAN VLAN 100 and VLAN 200 are secured using different group keys. ASYMMETRIC VLANS VLAN tag 100 is only visible at site A and B. Site C only observes untagged traffic. A connection is established between all three sites regardless of VLAN tag visibility. 4

UNTAGGED AND TAGGED VLANS VLAN 100 is encrypted at all sites. Untagged traffic is encrypted at all sites on a separate key to VLAN 100. ASYMMETRIC STACKED VLANS Sites A and B observe VLAN 100. Site C observes VLAN 1100 and VLAN 100 stacked tags. 5

VLAN MAPPING In this scenario VLAN 100 at site A is mapped by the network to VLAN 200 at site B. In this scenario VLAN 100 at site A is mapped by the network to VLAN 300 at site C. In this scenario VLAN 200 at site A is mapped by the network to VLAN 300 at site B. In this scenario VLAN 200 at site A is mapped by the network to VLAN 100 at site C. VLAN 100 is encrypted at all sites. Untagged traffic is encrypted at all sites on a separate key to VLAN 100. Copyright Senetas Corporation 2013 All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time. Rev. 01 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information