Group Encryption White Paper


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Group Encryption White Paper

  1. 1. Group Encryption Overview
  2. 2. Product Overview Protecting data in motion has become a high priority for a growing number of companies and governments. The growing threat of data theft and the increased regulatory pressure to protect data has moved encryption of data in motion from a “nice to have” technology to a budgeted project for many companies. However, companies that have deployed IPsec VPNs across their network have discovered that while encryption is a superior form of data protection, the deployment and management of IPsec VPNs is complicated, time consuming and largely incompatible with other network requirements, such as application performance, intelligent traffic routing and reliability. The IPsec VPN technology is also incompatible with a growing number of cost-effective Layer 2 service options, such as Metro Ethernet E-LAN, E-LINE, and VPLS forcing companies needing encryption to find another way to achieve such security. CipherOptics addresses this need in the market with the introduction of CipherEngine, a groundbreaking group encryption solution that makes encryption easy to install, simple to manage and transparent to any infrastructure, topology or application. Examples of CipherEngine encrypted groups include: • MPLS full mesh • MPLS Multicast • IP Hub and Spoke • Multi-carrier infrastructures • VPLS Mesh • Mixed vendors infrastructures • Metro Ethernet point-to-multipoint The CipherEngine solution has the added benefit of decoupling the security from the networks’ routed or switched infrastructure, providing additional security through role and access segmentation. CipherEngine also eases network troubleshooting, which is very difficult to do with other methods of transport encryption. Product Architecture CipherEngine provides comprehensive security services including confidentiality, authentication, and entitlement between communication entities. Based on centralized policy definition, scalable key and policy distribution and secure endpoint grouping (Group Encryption), CipherEngine leverages purpose-built, high-speed encryptors to deliver robust security that is highly scalable, easy to manage and transparent to latency sensitive applications such as VoIP and Multicast Video. Figure 1: Group Encryption with CipherEngine is based on grouping network nodes for policy definition and encryption key distribution Copyright © CipherOptics 2010. All rights reserved. -2-
  3. 3. Tunnel-Less Group Encryption Unlike IPsec VPNs and other router-based solutions, CipherEngine eliminates the need to configure encryption tunnels or set up predetermined device pairs for key negotiation. Instead, it enables network or security administrators to centrally define security policies based on trusted groups, and then dynamically push group encryption keys to the enforcement points (see figure 1). The ability to define one or more group encryption policies from a central location greatly simplifies the installation and management process of network encryption. Adds, moves and deletes can be accomplished in seconds, even for large networks with multiple, overlapping encryption groups. Rekeys can be accomplished at anytime with the click of a button or can be scheduled to take place automatically based on a configurable schedule. How it Works A CipherEngine solution has three primary components, each with a distinct function. • A Management and Policy (MAP) server, where group encryption policies are defined (Figure 2). It also includes an appliance management tool used for configuring, updating, and maintaining the enforcement points. • A Key Authority Point (KAP) that generates and pushes encryption keys based on the group policies it receives from the policy server. • CipherEngine Enforcement Points (CEPs), which are high- speed, low latency encryption appliances that deliver full Figure 2: Selecting new policy type duplex, line-rate performance for 10Mbps, 100Mbps, and 1Gbps. The CEPs are policy configurable to support Layer 2, Layer 3 or Layer 4 encryption. CipherEngine Management and Policy Server The MAP (Figure 3) is a rich-client application used to define group encryption policies. A CipherEngine group encryption policy defines which networks and subnets will be protected and then groups them together. These encryption groups are referred to as “Network Sets” within CipherEngine. An encryption group can have one or more policy associated with it (based on priority). The Network Set view in MAP allows the user to create, edit, delete, and view the status of all Network Sets and encryption groups. Once the Network Sets are created, the security policies governing them are defined. Each group policy specifies the re-key periods, the encryption and hash algorithms to be used and whether the key generation technique being used is Figure 3: CipherEngine user interface Copyright © CipherOptics 2010. All rights reserved. -3-
  4. 4. based on specific Network Sets or a global policy. Policy filtering criteria can be high level, such as “encrypt everything,” or more granular, specifying traffic based on IP addresses, protocols, or VLAN IDs. The MAP enables the security administrator to monitor the working status of all KAP and CEP units in the deployment. This monitoring capability includes information about units that are not responding, are in error or where policy deployments have not been completed. CipherEngine also provides a set of user roles to support role-based access to MAP and auditing responsibilities. CipherEngine KAP: Key Creation and Deployment The Key Authority Points handle all of the key generation activities in a CipherEngine deployment. Once the group encryption policy is defined, the MAP sends a metapolicy containing all of the information regarding each policy to the KAP. This includes the action (encrypt, clear, or drop), the lifetime of the policy, the encryptors that enforce the policies, and what kind of traffic the policy acts on. The KAP then generates the required group encryption keys and sends the appropriate policies along with the shared keys to each of the encryptors. The KAP operates continuously; generating new keys, responding to MAP requests and when necessary, resending failed messages. In deployments where redundancy is required, a backup KAP can monitor the primary KAP policies. In the event of a failure, the backup KAP will perform a network rekey and take over operation automatically until the primary KAP returns to operational status. The KAP reports status information to the MAP not only for itself but also for its protected CEP units. A KAP can be installed on a local Windows machine running as a separate application on the same workstation as the MAP software, or it can be purchased as a 1U rack mountable appliance. All group policy and encryption key distribution is protected through TLS and occurs through the management port of the KAP and CEP. When the keys that have already been deployed are nearing expiration, the KAP automatically generates new keys and pushes them out to replace the expiring keys. This auto renew feature for the keys can be set to occur at specified intervals or at specific times. Key updates are completed in such a way to ensure that no packets are sent in the clear or dropped during the rekey process. CipherEngine Enforcement Point (CEP): The MAP allows users to configure, update, maintain and troubleshoot the CEPs in a deployment. CipherOptics network encryptors are wire-speed encryption appliances providing flexible IP packet encryption, Ethernet Frame encryption or TCP/UDP payload only encryption in a single appliance. The Figure 4: CipherEngine Enforcement Points CEPs are available in three models; 10Mbps, 100Mbs and 1Gbps. Copyright © CipherOptics 2010. All rights reserved. -4-
  5. 5. The CEPs can operate in what is called “Network Mode.” Network Mode includes a number of functions, including: - Copying the inner IP addresses on a packet to the outer tunnel addresses - Copying the original MAC addresses to the outbound packet The CEPs are available in several models, offering full-duplex wire-speed encryption at 10Mbps, 100Mbs or 1Gbps. Transparent Group Encryption: CipherEngine’s ability to deploy transparent group encryption over any infrastructure or topology is made possible by the solution’s ability to encrypt only the “payload” portion of a frame or packet and leave the header information in the clear (Figure 5). For example, CipherEngine Layer 2 encryption not only leaves VLAN information in the clear, but allows group encryption policies to be based on VLAN IDs. Figure 5: CipherEngine header preservation enables Group Encryption over any topology CipherEngine also allows users to create IP or MPLS encrypted groups for multiple topologies. Only CipherEngine has the ability to encrypt the data payload while leaving the Layer 4 header in the clear. This unique capability preserves network services that rely on information contained in the Layer 4 header, such as traffic shaping, CoS-based routing, and Netflow or J-Flow. Encryption groups can easily be created for multicast video or Voice over IP without adding measurable latency or jitter, and without the need to modify native traffic flows. Copyright © CipherOptics 2010. All rights reserved. -5-
  6. 6. Solution Applications: Layer 3 WAN (IP/MPLS) Encryption: While MPLS and other forms of IP transport remain popular due to their improved performance and cost benefits over private lines, there is now broad consensus that the logical segmentation offered by MPLS is not secure and is not an adequate form of data protection. With CipherEngine, organizations can now secure their data across the WAN using group encryption policies that mirror their WAN transport topologies and application flows. CipherEngine offers transparent data privacy and regulatory compliance without any changes required to the existing infrastructure. Layer 2 WAN (Metro Ethernet/VPLS) Encryption Customers using Layer 2 technologies for their WAN are often forced to deploy point-to-point encryption solutions, or worse, introduce latency-inducing Layer 3 VPNs, to secure their data in motion. CipherEngine allows companies to secure their data with a native encryption solution that can secure any Layer 2 topology, including multipoint-to-multipoint or mesh. Only CipherEngine allows a group encryption policy to be based on VLAN IDs, allowing companies to cryptographically segment their VLANs. VoIP/Multicast Video Encryption VoIP and multicast video are two of the fastest growing network applications. Organizations recognize the need to secure these applications, but concerns about the latency and jitter of IPsec VPNs often lead to these applications operating in the clear. With CipherEngine, encrypting VoIP or Video can be accomplished without impacting quality or adding jitter. CipherEngine offers group encryption policies for multicast, full mesh, and hub and spoke topologies. This allows applications to flow in their native environment without redirects and without burdening the infrastructure with the CPU intensive tasks of policy look up and encryption. Data Center and Private Cloud Security CipherEngine makes it easy to encrypt data coming in and out of data centers and private clouds. By creating encrypted groups and setting a “deny all, permit by encryption group association” policy, enterprises can not only protect their data in motion, but can also ensure that the data was not modified in transit, as CipherEngine authenticates on a packet by packet basis. In addition, the wire speed capabilities of the CEP line of encryptors make it possible to discard unauthorized packets at wire speed, helping to mitigate against DDoS and other brute force attack vectors. Encryption as a Service CipherEngine is an ideal solution for service providers looking to offer Encryption as a Service (EaaS). CipherEngine allows service providers to add an encryption service without altering the existing network infrastructure, or modifying the customer-premise router/switch. The unique ability to leave the Layer 4 header in the clear ensures that this value-added security does not impact SLA’s that use Layer 4 information to shape or monitor traffic. Public Internet and Multi-Carrier For enterprises that use the public Internet, CipherEngine offers a single solution to deploy and manage group encryption. Even in mixed carrier, off-net and extranet environments, CipherEngine offers group encryption management on a single platform. Copyright © CipherOptics 2010. All rights reserved. -6-
  7. 7. CipherEngine Group Encryption Features and Benefits Feature Benefit Group Keys • Maximum flexibility in creating group encryption keys for any topology − Full Mesh − Hub and Spoke − Multicast − Point-to-Point • Tunnelless encryption for any Layer 2, Layer 3, or Layer 4 network Policy and • Easy group encryption policy definition and management with CipherEngine Key • Key servers can be located anywhere in the network and can be redundantly Management deployed • Manual rekeys for the whole network can be accomplished with a button click from one location (MAP). • Flexible automatic rekey available Header • Preserves routing and switching performance and redundancy Preservation • Layer 2 header preservation enables encrypted groups based on VLAN ID’s • IP Header Preservation maintains QoS • Layer 4 Header preservation maintains traffic shaping, Netflow, J-Flow and other carrier features Authentication Authentication is an ongoing process rather than a one-time event. This provides an additional layer of security, ensuring the data is not modified in transit. • Layer 2 frame-by-frame authentication • Layer 3 packet-by-packet authentication Scalability and • Scales seamlessly for any topology Throughput • Wire-speed performance (full duplex) from 10Mbs to 1Gbps • Independent of routed or switched infrastructure – no impact to router performance • All topologies and application flows are preserved Extra Security • Allows enterprises to de-couple security administration from network administration • Logging, tiered access and auditing capability • Allows full performance using Advanced Encryption Standard (AES) 256-bit encryption. Virtual and • Works in mixed-carrier, Internet and Extranet environments Remote IP • Support for NAT support • Ability to mask Private Addresses • Ability to support multi-carrier, multi-home environments Infrastructure • Works over any routed or switched infrastructure independence • No router or switching upgrades required • No infrastructure operating software upgrades required • No modifications to edge routers About CipherOptics When you need to encrypt your data in motion, CipherOptics makes it easy. Whether you need to protect a single link, or your entire network, we eliminate the complexity of encrypting today’s networks with a group encryption solution that is easy to deploy and manage and transparent to topology and application performance. For more information about the CipherEngine Group Encryption Solution visit Copyright © CipherOptics 2010. All rights reserved. -7-