PacketLight Encryption Solution_PL_1000_TE_Crytpo_Linkedin

PACKETLIGHTPACKETLIGHT ENCRYPTIONENCRYPTION

SOLUTIONSOLUTION

PACKETLIGHTPACKETLIGHT ENCRYPTIONENCRYPTION

SOLUTIONSOLUTION

PL-1000TE CryptoGbE,10G, 40G Eth,

4G/8G/10/16G FC

• It is not so difficult to tap fiber optics, ,many “youtubes” videos show how simple it is-

https://www.youtube.com/watch?v=2fP-j4XCuFs• Government have initiated new sets of laws and

guideline to protect essential and financial infrastructures

• Hackers and cyber attacks are posing strategic treats to any enterprise

Encryption Essential and Awareness Is Growing Encryption Essential and Awareness Is Growing

2

• Encryption on all the data passing over the fiber, no room for omissions

• Transparent, maintaining full bandwidth of the traffic • Beneficial for low latency applications• Covering the physical fiber tapping detection• Interface to existing DWDM infrastructure and Telco

OTN networks • No need to change or upgrade the Layer-2/3

switch/routers

Benefit of Layer-1 EncryptionBenefit of Layer-1 Encryption

3

Fiber Security Layers Fiber Security Layers

4

Physical LayerPhysical Layer

Data PlaneData Plane

Management PlaneManagement Plane

Layer-1 Transparent full bandwidth Encryption GCM-AES-256 (Advanced Encryption Standard) Diffie Hellman Key exchange Authentication using SHA-256

SNMPv3 Radius Management Firewall HTTPS Secure Shell

Optical power monitoring per service Automatic detection of fiber tapping

PL-1000TE-Crypto FeaturesPL-1000TE-Crypto Features

5

• 8 full Bi-Directional 3R Multi type/rate Transponders• 8 independent encryption AES-256 machines and keys exchange per service• Fully compliant with FIPS 140-2 Level 2 and NSA Suite B• Flexible, user configurable Multirate Interfaces support for:

• Data: GbE, 10GbE, 40GbE LAN• Storage: 4G/8G/10G/16G FC

• Performance Monitoring on all interfaces• Data flow transparent, Ultra Low latency • Optional 1+1 optical facility protection using Optical Switch• Integrated passive optics (Mux/DeMux), optical amplifiers (EDFAs)• Pay as you grow architecture (Pluggable SFP+s)• Dual redundant pluggable AC/DC PSU and FAN unit

“1U Data and Storage Layer-1 Encryption solution”

PL-1000TE-Crypto Encryption Solution DescriptionPL-1000TE-Crypto Encryption Solution Description• Support 8 independent bi-directional encryption/decryption machines• Each encryption/decryption machine can be configured to a different service

rate/type and has its own key exchange and pre shared secret• Conforms with known Encryption standards :

GCM-AES-256 (Advanced Encryption Standard) Diffie Hellman Key exchange FIPS 140-2 Security Level 2 Suite B CNSSP-15 Cryptography

• Encryption supports: Confidentiality Data integrity Authentication

• Support user configurable services: – 1G/10G/40G Ethernet– 4G/8G/10G/16G FC

• Low latency < 20 µsec for encrypted 10G ETH• Support secured key distribution• 8 optical transponder, optional Mux/DeMux, optical amp and OSW

Encryption Mechanism PL-1000TEEncryption Mechanism PL-1000TE

6

PL-1000TE Encryption FunctionalityPL-1000TE Encryption Functionality

7

Requirement Function Algorithm FIPS 140-2 Suite B

Cryptographic Algorithm

Encryption Algorithm

GCM-AES-256 FIPS 197 and SP800-38D Yes

Key Management Key Establishment Elliptic Curve Cryptography Cofactor Diffie-

Hellman (ECC CDH) with a Pre-Shared Secret SP 800-56A Yes

Key Message Authentication

Message digest with a Pre Shared Key Secure Hash Algorithm 2 (SHA-256) FIPS 180-4 Yes

Self Tests Integrity testsOn power up check digestion for software encryption modules and run test vectors with known answers (KAT)

Yes N/A

Random Number Generator

Used for keys generation

True Random (TRNG) with FDK-100, and Deterministic random bit generator (DRBG) SP800-90 N/A

Access Control Authentication Role Based, User/Password authentication Yes N/A

Physical security Tamper evidence Yes

EMI/EMC FCC Part 15 Class A Yes N/A

Services Supported Services GbE, 10GbE, 40GbE 4G-FC, 8G-FC, 10G-FC, 16G-FC N/A N/A

• The mapping of the encrypted services is done according to the following table:

• The bit rate of the encrypted 64b/66b service is the same as the client rate• The Diffie-Hellman key exchange is done in-band to the encrypted signal

Mapping of the Encrypted ServicesMapping of the Encrypted Services

8

Service Client Rate Uplink Rate Encrypted Signal Rate

Encrypted 10GbE 10.3125G 10.3125G 10GbE

Encrypted 1GbE 1.25G 2.125G 2GFC

Encrypted 4G FC 4.25G 10.3125G 10GbE

Encrypted 8G FC 8.5G 10.3125G 10GbE

Encrypted 10G FC 10.51875G 10.51875G 10GFC

Encrypted 16G FC 14.025G 14.025G 16GFC

Encrypted 40GbE 4x 10.3125G 4x 10.3125G 4x 10GbE

• Secured fiber network infrastructure for: Gov and data center connectivity Banks, Credit card companies and other financial institutes Cloud providers and ISP backbone Utilities and essential infrastructure

• Feeder of encrypted services to existing Optical Transport Networks (OTN)

• Managed encrypted wavelength services offered by service providers

• Internal data center secured connectivity

PL-1000TE-Crypto Applications PL-1000TE-Crypto Applications

9

8 Encrypted Services Agnostic To Switch Vendor8 Encrypted Services Agnostic To Switch Vendor

Encrypted Services

PL-1000TE Crypto

Switch/Router Vendor agnostic1G/10G/40G Eth, 4G/8G/10G/16G FC

Encrypted Services

PL-1000TE Crypto

Switch/Router Vendor agnostic1G/10G/40G Eth, 4G/8G/10G/16G FC

Secured Fiber Network Infrastructure Secured Fiber Network Infrastructure

EncryptionManaged by customer

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2

TX RX TX RX TX RX TX RX

RX TX RX TX RX TX RX TX

2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink

UplinkRX TX PL-1000GT!

TX RX

MIN

PWRLINK

10/100G OTN Backbone

(OTU2/OTU4)

Encrypted Services Over OTN Backbone OTU2/OTU4Encrypted Services Over OTN Backbone OTU2/OTU4

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2



2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink


TX RX

MIN

PWRLINK

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2



2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink


TX RX

MIN

PWRLINK

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2



2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink


TX RX

MIN

PWRLINK

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2



2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink


TX RX

MIN

PWRLINK

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2



2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink


TX RX

MIN

PWRLINK

3rd Party OTNInfrastructure

10G Encryption Over Standard 100G OTU4 Uplink10G Encryption Over Standard 100G OTU4 Uplink

13

Using 10G Encrypted uplinks in to 100G OTU4 uplink

FAN UNITALARM

CONTROL

PL-1000GT

MAJOR MINORCRITICAL

COM-1

DCDC

TX RX

RX TX

MNG2



2 3 4 5 7 8 9 10 MNG11 6

TX RX

TX RX

RX TX RX TX

LINK 1

RX TX RX TX

ACTLINKETH

UPLINK PSU1 PSU1

FAN UNIT

ACT

Link 1 MAJCRT

ETH

ALARM

CONTROL

TX RX

MNG2



4 5 6 7 9 10 11 12 MNG13 8

RX TX

2

TX RX

RX TX RX TX100G/ADM

E1 Uplink


TX RX

MIN

PWRLINK

PWR

PL400TX RX

RX TX

TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX

MUX DEMUX 1 MUX DEMUX 2 COM1

COM2

FAN UNITALARM

CONTROL

RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16LINK MNG2MNG1

ACT

MAJOR MINORCRITICAL COM1 COM2

LINKOPR MAS

TX RX

TX RX

PROT ETH

AC PSUDC PSU

10G LAN 8G FC

Dark Fiber/OTU4

14

10G LAN 8G FC

Dark Fiber/OTU2

Using 10G Encrypted uplinks in to 10G OTU2 uplink

10G Encryption Over Standard 10G OTU2 Uplink10G Encryption Over Standard 10G OTU2 Uplink

Service Type Selection Service Type Selection

Encryption ConfigurationEncryption Configuration

16

Crypto Officer FunctionalityCrypto Officer Functionality

17

• The Crypto Officer is a single built-in user 'crypto' that is not manageable by the Admin user.

• Only the Crypto Officer is allowed to change its own password (default: 'crypto')

• Only the Crypto Officer has an access to the Encryption tab with the pre-shared-secret information, and the Key Exchange Period.

• In all other terms the behavior of the Crypto Officer user is like a Read-Only user for the GUI and CLI purposes.

• The Crypto Officer user can logged in to the device remotely via the Web-GUI over HTTP/HTTPS. The Crypto Officer user is not available via SNMPv3

• To prevent Admin changing the service type from encrypted to non-encrypted, the Crypto Officer has the option to lock the encrypted service.

• For locked encrypted service, the admin user can not change the service type. In addition, if there is at least one locked service, the admin is not allowed to: restore-to-factory-defaults, load a previously saved configuration file, switch between SW loads

• Built-in Firewall allows blocking of any selected IP address or protocol/s.

Firewall Firewall

18

PL-1000TE Management SecurityPL-1000TE Management Security

19

• HTTPS – Secured HTTP

• Support SNMPv3

• SSH - Secured Shell (telnet)

• PL-1000TE supports RADIUS for centralized user management• Up to two RADIUS servers are supported for protection

RADIUSRADIUS

20

Thank you!Thank you!Thank you!Thank you!

www.packetlight.com

Date post:	06-Aug-2015
Category:	Documents
Upload:	michalnt
View:	15 times
Download:	0 times

PacketLight Encryption Solution_PL_1000_TE_Crytpo_Linkedin

Documents