Datacryptor Ethernet Layer 2 Rel 4.5


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Datacryptor Ethernet Layer 2 Rel 4.5

  1. 1. Information Security Systems > Datacryptor® Ethernet Layer 2 Version 4.5 Multipoint / MPLS
  2. 2. Objectives < Provide an overview of the Datacryptor Ethernet Layer 2 Introduce the new version 4.5 and describe what it offers Describe what it does for customers and problems it solves Explain how multipoint and MPLS options work in practice Describe technical features and benefits of the product Highlight value the product offers to the end users Illustrate a representative user case and applied solutionProtecting Data in Transit 1
  3. 3. Overview < Datacryptor Layer 2 Ethernet is a hardware encryption module that protects data in transit- where it is most vulnerable to interception and alteration Layer 2 encryption yields minimum overhead and frame expansion transit Alternative Layer 3 encryption technologies significantly expand data packets Fill up to 60% of bandwidth customer is buying from carrier – costing more money Alternative Layer 3 encryption technologies can also introduce delays Render latency-sensitive applications (voice, video, and multi-media) unusable Layer 2 Ethernet encryption allows one to secure the data without having to buy more bandwidth from carrier than what one actually need to sustain traffic flow Layer 2 Ethernet encryption only introduces minimum latencies (microsecond) Alternative Layer 3 encryption introduces sizeable latencies (milliseconds)Protecting Data in Transit Protects data and helps avoid possible devastating costs and embarrassments associated with data breaches Provide mechanism for complying with growing government and industry regulations 2 JA
  4. 4. Overview /2 < What does this all mean? Packet expansion resulting from encryption cost the customer money Original Unencrypted Packet Encrypted Packet IPSEC Encryption Header Payload Header Payload IPSec Overhead 100101001010 100101001010 Up to Aggregation 60% Expansion per (VoIP, Data, Multi-Media) Packet! Datacryptor save bandwidth that they would otherwise have to buy A simple analogy - protective packaging and shipping Layer 3 $$$$$$$Protecting Data in Transit (IPSec) Oversized Crate Layer 2 $ (Ethernet) Compact Cost-Effective Box 3
  5. 5. What does the new product version offer? < Datacryptor Ethernet Layer 2 Ver 4.5 is a common code upgrade Expands features/functions of 100 Mbps, 1, and 10 Gbps models Introduces secure multipoint encryption feature as a license option Provides centralized automatic key generation, distribution, and fully-meshed secure connectivity up to 200 nodes in a backbone Key generation and distribution embedded in central-site encryptor Delivers maximum encrypted throughput with minimum latency Galois Counter Mode (GCM) cryptographic mode in multipoint operation provides increased security through encryption and frame authentication that facilitates protection against replayProtecting Data in Transit Multi Protocol Label Switching (MPLS)-awareness feature uses a more flexible IP-based key distribution scheme and enables units to be deployed both at the edge and within network infrastructures 4
  6. 6. What does the new product version offer? < No hardware changes Single Fixed Tamper Label (3) AC (Universal) and DC (-48V) Units is rack-mountable Power Options and has single AC or DC power supply and fixed RJ-45 host and network copper interfaces Models can interoperate Serial Console with 1 and 10 Gbps Fixed RJ-45 10/100BaseT Host and Network Interfaces 10/100 Mbps Ethernet Management Port models in multipoint configurationsProtecting Data in Transit 5
  7. 7. What does the new product version offer? /2 < 1 Gbps Model: 10/100 Mbps Ethernet Dual Swappable AC (Universal) or No hardware changes Serial Console Management Port DC (-48V) Power Options Units are rack-mountable 1 and 10 Gbps unit have dual and redundant AC or DC power supplies with removable copper or optical Removable SFP Optical Interfaces SFP/XFP host and network interface modules 10 Gbps Model: 10/100 Mbps Ethernet Dual Swappable Management Port AC (Universal) or Serial Console DC (-48V) Power Options All models can interoperate in multipoint configurationsProtecting Data in Transit Removable XFP Optical Interfaces 6
  8. 8. What does the new product version do for you? < Protects the confidentiality of sensitive data where it is most vulnerable to interception – in transit as it travels over and otherwise unprotected shared public network Secure your network against data security beaches and helps you fulfill government and industry data protection regulations Enable you to securely use more cost- 000101010 effective data transport services such as 101011001 000101101 carrier Layer 2 Ethernet and MPLS 110010101Protecting Data in Transit services without adversely impacting operational performance 7
  9. 9. What problem are we solving? < Threats to data security and fulfillment of government regulations Enabling secure critical applications such as ■ Bulk data transport for disaster recovery and business continuity ■ Point-to-point wireless and microwave MAN connectivity ■ Distributed data center connectivity Providing a secure cost-effective alternative to IPSec Up to 60% overhead introduced by encryption over IP Facilitating secure and efficient use of bandwidthProtecting Data in Transit 8
  10. 10. Why Layer 2 encryption? < In a study by the Rochester Institute of Technology (RIT), it was determined that Layer 2 encryption technologies provide superior throughput and far lower latency than IPSec VPNs operating at Layer 3 The encryption of traffic at line speed, addition of constant minimal latency regardless of frame size, and minimal frame loss make Layer 2 encryption a highly desirable solution Enterprises that need to secure point-to- point or multipoint links are likely to achieve better encryption performance by shifting from traditional encryptionProtecting Data in Transit with IPSec at Layer 3 encryption of frame payloads at Layer 2 9
  11. 11. Typical deployment scenarios < Secure datacenter backbone connectivity over distributed network Secure business continuity and disaster recovery multi-site connection HeadquartersProtecting Data in Transit Satellite Office Data Centers Layer 2 Ethernet or MPLS Carrier Network 10
  12. 12. Ethernet Layer 2 products at a glance < Ethernet Layer 2 Available Models Speed Point-to-Point Multipoint 10/100 Mbps DCME-LL76x DCME-XL76x 1 Gbps DCGE-LG7Sx DCGE-XG7Sx 10 Gbps DCGE-LI7Sx DCGE-XI7Sx AES (256-bit) Transparent to line protocols Multiple modes of operation ■ Bulk ■ Tunnel ■ Clear Header (Extended LAN/VLAN NS MPLS-aware) RJ-45 interfaces (10/100M)Protecting Data in Transit Removable pluggable interfaces (1/10G) Dual/redundant power supplies (1/10G) Universal AC and -48V DC options FIPS 140-2 Level 3 Common Criteria EAL 3 11
  13. 13. Associated software applications < Element Manager (Included) Allows Customer to Securely Configure and Monitor Encryptors in Network SNMP Manager (Supports Customers’ System) Allows Customer to Monitor Encryptors in Network as Part of their Existing Enterprise Management System Certificate ManagerProtecting Data in Transit (Ordered Separately) Allows Customer to Generate Own Seed Material Required for X.509 Certificates Used by Encryptors to Exchange Keys 12
  14. 14. How does multipoint option work? < Units can be configured to operate in point-to-point or multipoint mode In point-to-point mode Units are associated in discrete pairs-wise connections Each takes equal part in establishing agreed Key Encryption Key (KEK) Each takes equal part in establishing agreed Data Encryption Key (DEK) Datacryptor can only encrypt/decrypt traffic from a single peer In multipoint and MPLS mode KEK agreement is unchanged DEK is generated centrally by Key Management Application (KMA) KMA is embedded within central-site encryption deviceProtecting Data in Transit A common DEK is used by all peer units in the backbone network Any Datacryptor can securely connect to any other unit in the network Up to 200 nodes supported (1 central-site and 19 9remotes peers) Multiple keys maintained at all times to ensure uninterrupted traffic IP-based key distribution allows compatibility with wider set of commercial switching equipments used in MPLS network environments 13
  15. 15. How does multipoint option work? < Multipoint option provides capability for Datacryptor 100 Mbps, 1, and 10 Gbps units to operate in fully-meshed configurations Enables encryption and decryption of unicast, multicast, and broadcast traffic Ethernet Layer 2 Network Datacryptor1 KEK uses same current process (DH) Datacryptor2 and Common DEK generated by KMS and distributed to all Central KMA Platform peers DEK1 Datacryptor3Protecting Data in Transit Router DEK1 Step 1: DH exchange generates unique KEK with each Peer encryptor Step 2: Single or multiple common DEKs generated and distributed (DEK1, Datacryptor4 DEK2, DEKx) DEK1 Management Application Platform DatacryptorX 14
  16. 16. How does multipoint option work? < The KMA KMA application software generates, stores, and distributes key material to all peer encryption units in the network Application runs on a standard Datacryptor 100 Mbps, 1, or 10 Gbps unit which also performs the function of central-site encryptor KMA is initially programmed with the Media Access Control (MAC) address of each of the peer Datacryptor units in the network Peer units in network also programmed with MAC address of KMA unit when commissioned In multipoint/MPLS mode, IP-based key management is used instead of the MAC addressing used for point-to-point and non-MPLS multipoint modes Configuration of KMA and peers done through the Thales’ Element ManagerProtecting Data in Transit (EM) Front Panel Viewer (FPV) application FPV enables security manager to set general parameters for multipoint operation including peer MAC addresses and common key generation and distribution parameters such as frequency of KEKs and DEK lifetime settings 15
  17. 17. Features and benefits < Feature Models with Benefit Feature New to this Release! 100M 1G 10G Multipoint capability across all platforms Feature now available in all three Ethernet models enabling any of these to interoperate in fully meshed Layer 2/MPLS environments. Key material generated and distributed by application embedded with designated central site encryptor. GCM cryptography in multipoint modes Provides increased security through frame authentication and replay protection. Allows out-of-sequence packets to be properly processed through the encryptor when the unit is operating in multipoint mode. MPLS-awareness feature in multipoint Enable encryptors to properly secure data payloads mode without hiding MPLS tags required for routing frames through network infrastructure. IP-based key management in Feature supplements MAC addressing used for point-to-Protecting Data in Transit multipoint/MPLS mode point and non-MPLS multipoint modes. Capability allows compatibility with a wider set of commercial switching equipments used in MPLS network environments. Expanded number of peers Increase the number of available peer connections that any one unit can achieve in a multipoint configuration to 200 simultaneous connections. 16
  18. 18. Value to end user < Robust encryption of data in transit - where it is most vulnerable - with minimum operational impact Increased security through encryption and frame authentication Saves up to 60% in bandwidth utilization and resulting data transport costs Easy installation into existing networks, quickly securing them and saving you money Helps you comply with new government and industry data security regulations Protects data confidentiality and integrity - so even if intercepted, security cannot be breachedProtecting Data in Transit 17
  19. 19. Representative user case-customer requirements < Customer is data center operator connecting remote customer sites Example shows 18 data centers connected to central site (can be up to 199) Each site must also securely connect with each other for actualization Connection between sites use Layer 2 Ethernet MPLS carrier service in a combination of speeds (100 Mbps, 1, and 10 Gbps)Protecting Data in Transit 18
  20. 20. Representative user case-customer architecture < Site 1 Site 2 Site 3 Data Centers Site 4 Site 5 Shared Switched Vulnerability Site 6 Vulnerability Ethernet Layer 2 Site 7 Central Site or MPLS Carrier Site 8 Network Site 9 Site 10 Site 11 Site 12 Site 13Protecting Data in Transit Sensitive data flow over more distributed connections Site 14 Increased exposure over vulnerable open environment Site 15 Site 16 Site 17 Site 18 19
  21. 21. Representative user case-secured network < Site 1 Primary and spare Site 2 Site 3 Data Centers Site 4 Site 5 Site 6 Shared Switched x8 Central Site Site 7 Ethernet Layer 2 Site 8 or MPLS Carrier Site 9 Network Element Manager Site 10 and Certificate Manager Site 11 x5 Site 12 Site 13Protecting Data in Transit Site 14 Uses Datacryptor 10 Gbps Ethernet Layer 2 Multipoint encryptor as concentrator Uses Datacryptor 100 Mbps, 1, and 10 Gbps Multipoint units at remote sites Site 15 Any site can also connect securely with any other sites x5 Site 16 All connections secured with AES-256 encryption Site 17 Site 18 20
  22. 22. Use Case – Thales Solution < Primary equipment Quantity (8) 100 Mbps units Quantity (5) 1 Gbps units + SFP modules Quantity (6) 10 Gbps units + XFP modules Quantity (1) CM Quantity (1) EM/FPV (no cost) Spares Quantity (1) 10 Gbps unit + XFP modules InstallationProtecting Data in Transit Training Maintenance options 21
  23. 23. Protecting Data in Transit22 Thank You ! Questions <