23
Information Security Systems > Datacryptor ® Ethernet Layer 2 Version 4.5 Multipoint / MPLS
| Date post: | 12-May-2015 |
| Category: |
Documents |
| Upload: | eugene-sushchenko |
| View: | 1,104 times |
| Download: | 6 times |
Information Security Systems
> Datacryptor ® Ethernet Layer 2 Version 4.5 Multipoint / MPLS
<Objectives
� Provide an overview of the Datacryptor Ethernet Layer 2
� Introduce the new version 4.5 and describe what it offers
� Describe what it does for customers and problems it solves
� Explain how multipoint and MPLS options work in practice
� Describe technical features and benefits of the product
1
Pro
tect
ing
Dat
a in
Tra
nsit
� Describe technical features and benefits of the product
� Highlight value the product offers to the end users
� Illustrate a representative user case and applied solution
<Overview
� Datacryptor Layer 2 Ethernet is a hardware encryption module that protects data in transit- where it is most vulnerable to interception and alteration
� Layer 2 encryption yields minimum overhead and frame expansion transit
� Alternative Layer 3 encryption technologies significantly expand data packets
� Fill up to 60% of bandwidth customer is buying from carrier – costing more money
� Alternative Layer 3 encryption technologies can also introduce delays
� Render latency-sensitive applications (voice, video, and multi-media) unusable
2
Pro
tect
ing
Dat
a in
Tra
nsit
� Render latency-sensitive applications (voice, video, and multi-media) unusable
� Layer 2 Ethernet encryption allows one to secure the data without having to buy more bandwidth from carrier than what one actually need to sustain traffic flow
� Layer 2 Ethernet encryption only introduces minimum latencies (microsecond)
� Alternative Layer 3 encryption introduces sizeable latencies (milliseconds)
� Protects data and helps avoid possible devastating costs and embarrassments associated with data breaches
� Provide mechanism for complying with growing government and industry regulations
JA
<Overview /2
� What does this all mean?� Packet expansion resulting from encryption cost the customer money
Up to
60% Expansion per
Packet!
IPSEC Encryption
Payload
100101001010
HeaderPayload
100101001010
Header
Aggregation
(VoIP, Data, Multi-Media)
Original Unencrypted Packet Encrypted Packet
IPSec Overhead
3
Pro
tect
ing
Dat
a in
Tra
nsit
� Datacryptor save bandwidth that they would otherwise have to buy� A simple analogy - protective packaging and shipping
� Layer 3(IPSec)
� Layer 2
(Ethernet)
$$$$$$$
$
Oversized Crate
Compact Cost-Effective Box
<What does the new product version offer?
� Datacryptor Ethernet Layer 2 Ver 4.5 is a common code upgrade� Expands features/functions of 100 Mbps, 1, and 10 Gbps models� Introduces secure multipoint encryption feature as a license option� Provides centralized automatic key generation, distribution, and
fully-meshed secure connectivity up to 200 nodes in a backbone� Key generation and distribution embedded in central-site encryptor� Delivers maximum encrypted throughput with minimum latency
4
Pro
tect
ing
Dat
a in
Tra
nsit
� Delivers maximum encrypted throughput with minimum latency� Galois Counter Mode (GCM) cryptographic mode in multipoint
operation provides increased security through encryption andframe authentication that facilitates protection against replay
� Multi Protocol Label Switching (MPLS)-awareness feature uses amore flexible IP-based key distribution scheme and enables unitsto be deployed both at the edge and within network infrastructures
<What does the new product version offer?
Fixed RJ-45 10/100BaseT Host and Network Interfaces
10/100 Mbps Ethernet Management Port
Single Fixed AC (Universal) and DC (-48V) Power Options
Serial Console
Tamper Label (3)
� No hardware changes� Units is rack-mountable
and has single AC or DC power supply and fixed RJ-45 host and network copper interfaces
� Models can interoperate with 1 and 10 Gbps models in multipoint configurations
5
Pro
tect
ing
Dat
a in
Tra
nsit
configurations
<What does the new product version offer? /2
10/100 Mbps Ethernet Management Port Serial Console
Removable SFP Optical Interfaces
Dual Swappable AC (Universal) or DC (-48V) Power
Options
1 Gbps Model: � No hardware changes
� Units are rack-mountable
� 1 and 10 Gbps unit have dual and redundant AC or DC power supplies with removable copper or optical SFP/XFP host and network interface modules
6
Pro
tect
ing
Dat
a in
Tra
nsit
Removable XFP Optical Interfaces
10 Gbps Model: Dual Swappable AC (Universal) or DC (-48V) Power
Options
10/100 Mbps Ethernet Management Port
Serial Console
interface modules
� All models can interoperate in multipoint configurations
<What does the new product version do for you?
� Protects the confidentiality of sensitive data where it is most vulnerable to interception – in transit as it travels over and otherwise unprotected shared public network
� Secure your network against data security beaches and helps you fulfill government
7
Pro
tect
ing
Dat
a in
Tra
nsit
beaches and helps you fulfill government and industry data protection regulations
� Enable you to securely use more cost-effective data transport services such as carrier Layer 2 Ethernet and MPLS services without adversely impacting operational performance
000101010101011001000101101110010101
<
� Threats to data security and fulfillment of government regulations� Enabling secure critical applications such as
■ Bulk data transport for disaster recovery and business continuity
■ Point-to-point wireless and microwave MAN connectivity
■ Distributed data center connectivity
� Providing a secure cost-effective alternative to IPSec
What problem are we solving?
8
Pro
tect
ing
Dat
a in
Tra
nsit
� Providing a secure cost-effective alternative to IPSec� Up to 60% overhead introduced by encryption over IP
� Facilitating secure and efficient use of bandwidth
<Why Layer 2 encryption?
� In a study by the Rochester Institute of Technology (RIT), it was determined that Layer 2 encryption technologies provide superior throughput and far lower latency than IPSec VPNs operating at Layer 3
� The encryption of traffic at line speed, addition of constant minimal latency regardless of frame size, and minimal frame loss make Layer 2 encryption a
9
Pro
tect
ing
Dat
a in
Tra
nsit
frame loss make Layer 2 encryption a highly desirable solution
� Enterprises that need to secure point-to-point or multipoint links are likely to achieve better encryption performance by shifting from traditional encryption with IPSec at Layer 3 encryption of frame payloads at Layer 2
<Typical deployment scenarios
� Secure datacenter backbone connectivity over distributed network
� Secure business continuity and disaster recovery multi-site connection
10
Pro
tect
ing
Dat
a in
Tra
nsit
Satellite Office Data Centers
Headquarters
Layer 2 Ethernet or MPLS Carrier Network
<
Ethernet Layer 2
� Available Models
� AES (256-bit)� Transparent to line protocols� Multiple modes of operation
Ethernet Layer 2 products at a glance
Speed Point-to-Point Multipoint
10/100 Mbps � DCME-LL76x � DCME-XL76x
1 Gbps � DCGE-LG7Sx � DCGE-XG7Sx
10 Gbps � DCGE-LI7Sx � DCGE-XI7Sx
11
Pro
tect
ing
Dat
a in
Tra
nsit
� Multiple modes of operation ■ Bulk■ Tunnel■ Clear Header (Extended LAN/VLAN NS MPLS-aware)
� RJ-45 interfaces (10/100M)� Removable pluggable interfaces (1/10G)� Dual/redundant power supplies (1/10G)� Universal AC and -48V DC options� FIPS 140-2 Level 3� Common Criteria EAL 3
<
� Element Manager
Associated software applications
� SNMP Manager
(Supports Customers’ System)(Supports Customers’ System)
(Included)(Included)
Allows Customer to Securely Allows Customer to Securely Configure and Monitor Configure and Monitor Encryptors in NetworkEncryptors in Network
12
Pro
tect
ing
Dat
a in
Tra
nsit
� Certificate Manager
Allows Customer to Monitor Encryptors Allows Customer to Monitor Encryptors in Network as Part of their Existing in Network as Part of their Existing
Enterprise Management SystemEnterprise Management System
(Ordered Separately)(Ordered Separately)
Allows Customer to Generate Own Allows Customer to Generate Own Seed Material Required for X.509 Seed Material Required for X.509
Certificates Used by Encryptors to Certificates Used by Encryptors to Exchange KeysExchange Keys
<How does multipoint option work?
� Units can be configured to operate in point-to-point or multipoint mode
� In point-to-point mode
� Units are associated in discrete pairs-wise connections � Each takes equal part in establishing agreed Key Encryption Key (KEK)� Each takes equal part in establishing agreed Data Encryption Key (DEK)� Datacryptor can only encrypt/decrypt traffic from a single peer
� In multipoint and MPLS mode
13
Pro
tect
ing
Dat
a in
Tra
nsit
� In multipoint and MPLS mode
� KEK agreement is unchanged� DEK is generated centrally by Key Management Application (KMA)� KMA is embedded within central-site encryption device� A common DEK is used by all peer units in the backbone network� Any Datacryptor can securely connect to any other unit in the network� Up to 200 nodes supported (1 central-site and 19 9remotes peers)� Multiple keys maintained at all times to ensure uninterrupted traffic� IP-based key distribution allows compatibility with wider set of commercial
switching equipments used in MPLS network environments
<How does multipoint option work?
� Multipoint option provides capability for Datacryptor 100 Mbps, 1, and 10Gbps units to operate in fully-meshed configurations
� Enables encryption and decryption of unicast, multicast, and broadcasttraffic
Ethernet Layer 2 Network
14
Pro
tect
ing
Dat
a in
Tra
nsit
Step 1: DH exchange generates unique KEK with each Peer encryptor
Step 2: Single or multiple common DEKs generated and distributed (DEK1, DEK2, DEKx)
Datacryptor1and
Central KMA PlatformDatacryptor2
Datacryptor3
Datacryptor4
DatacryptorX
Management ApplicationPlatform
Router
KEK uses same current process (DH)Common DEK generated by KMS and distributed to all
peersDEK1
DEK1
DEK1
<How does multipoint option work?
� The KMA� KMA application software generates, stores, and distributes key material to all
peer encryption units in the network
� Application runs on a standard Datacryptor 100 Mbps, 1, or 10 Gbps unitwhich also performs the function of central-site encryptor
� KMA is initially programmed with the Media Access Control (MAC) address ofeach of the peer Datacryptor units in the network
� Peer units in network also programmed with MAC address of KMA unit when
15
Pro
tect
ing
Dat
a in
Tra
nsit
� Peer units in network also programmed with MAC address of KMA unit whencommissioned
� In multipoint/MPLS mode, IP-based key management is used instead of theMAC addressing used for point-to-point and non-MPLS multipoint modes
� Configuration of KMA and peers done through the Thales’ Element Manager(EM) Front Panel Viewer (FPV) application
� FPV enables security manager to set general parameters for multipointoperation including peer MAC addresses and common key generation anddistribution parameters such as frequency of KEKs and DEK lifetime settings
<Features and benefits
Feature Models with Feature
Benefit
New to this Release! 100M 1G 10GMultipoint capability across all platforms
� � �
Feature now available in all three Ethernet models enabling any of these to interoperate in fully meshed Layer 2/MPLS environments. Key material generated and distributed by application embedded with designated central site encryptor.
GCM cryptography in multipoint modes
� � �
Provides increased security through frame authenticationand replay protection. Allows out-of-sequence packets tobe properly processed through the encryptor when the unit
16
Pro
tect
ing
Dat
a in
Tra
nsit
� � � be properly processed through the encryptor when the unitis operating in multipoint mode.
MPLS-awareness feature in multipoint mode � � �
Enable encryptors to properly secure data payloads without hiding MPLS tags required for routing frames through network infrastructure.
IP-based key management in multipoint/MPLS mode
� � �
Feature supplements MAC addressing used for point-to-point and non-MPLS multipoint modes. Capability allows compatibility with a wider set of commercial switching equipments used in MPLS network environments.
Expanded number of peers� � �
Increase the number of available peer connections that anyone unit can achieve in a multipoint configuration to 200simultaneous connections.
<Value to end user
�Robust encryption of data in transit - where it is most vulnerable -with minimum operational impact
� Increased security through encryption and frame authentication�Saves up to 60% in bandwidth utilization and resulting data
transport costs �Easy installation into existing networks, quickly securing them and
saving you money�Helps you comply with new government and industry data security
17
Pro
tect
ing
Dat
a in
Tra
nsit
�Helps you comply with new government and industry data security regulations
�Protects data confidentiality and integrity - so even if intercepted, security cannot be breached
<Representative user case-customer requirements
� Customer is data center operator connecting remote customer sites� Example shows 18 data centers connected to central site (can be up to 199)
� Each site must also securely connect with each other for actualization
� Connection between sites use Layer 2 Ethernet MPLS carrier service in a combination of speeds (100 Mbps, 1, and 10 Gbps)
18
Pro
tect
ing
Dat
a in
Tra
nsit
<Representative user case-customer architecture
Site 1
Site 2
Site 3
Site 4
Site 5
Site 6
Site 7
Site 8
Site 9
Central Site
Data Centers
Shared Switched Ethernet Layer 2 or MPLS Carrier
Network
Vulnerability
Vulnerability
19
Pro
tect
ing
Dat
a in
Tra
nsit
Site 9
Site 10
Site 11
Site 12
Site 13
Site 14
Site 15
Site 16
Site 17
Site 18
� Sensitive data flow over more distributed connections
� Increased exposure over vulnerable open environment
<Representative user case-secured network
Site 1
Site 2
Site 3
Site 4
Site 5
Site 6
Site 7
Site 8
Site 9
Central Site
Data Centers
Shared Switched Ethernet Layer 2 or MPLS Carrier
Network
x8
Primary and spare
20
Pro
tect
ing
Dat
a in
Tra
nsit
Site 9
Site 10
Site 11
Site 12
Site 13
Site 14
Site 15
Site 16
Site 17
Site 18
Network Element Manager
and Certificate Manager
� Uses Datacryptor 10 Gbps Ethernet Layer 2 Multipoint encryptor as concentrator
� Uses Datacryptor 100 Mbps, 1, and 10 Gbps Multipoint units at remote sites
� Any site can also connect securely with any other sites
� All connections secured with AES-256 encryption
x5
x5
<Use Case – Thales Solution
� Primary equipment� Quantity (8) 100 Mbps units
� Quantity (5) 1 Gbps units + SFP modules
� Quantity (6) 10 Gbps units + XFP modules
� Quantity (1) CM
� Quantity (1) EM/FPV (no cost)
21
Pro
tect
ing
Dat
a in
Tra
nsit
� Spares� Quantity (1) 10 Gbps unit + XFP modules
� Installation
� Training
� Maintenance options
<
Thank You !
Questions
22
Pro
tect
ing
Dat
a in
Tra
nsit
