1 / 40

SafeEnterprise High Speed Encryptor Overview

SafeEnterprise High Speed Encryptor Overview. M.Simms – Senior Pre-Sales Engineer. SafeNet HSE vs Router/Firewall VPN. Cost and Performance. Requires extra memory/blades in switch/router/firewall due to loss of performance. Loss of throughput

lowemichael
Télécharger la présentation

SafeEnterprise High Speed Encryptor Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SafeEnterprise High Speed Encryptor Overview M.Simms – Senior Pre-Sales Engineer

  2. SafeNet HSE vs Router/Firewall VPN Cost and Performance • Requires extra memory/blades in switch/router/firewall due to loss of performance. • Loss of throughput • Layer 3 IPSec reduces throughput by as much as 40% for small packets (64 Bytes). Increased fragmentation on large packets. • Lower layer technologies – reduced latency and improved performance • Higher ongoing costs associated with IPSec management whilst HSE “configure and forget”… Security • Router not designed as security device – designed to switch/route traffic or inspect packets. • Designed to be accessed over a network – telnet etc - not appropriate for security device. SafeNet use bespoke management system (SMC) providing secure comms and management. • Designed to be physically modified to e.g. add blades – not appropriate for security device, SafeNet encryptors are physically tamper proof.

  3. Rochester Institute of Technology Confirmation of L2 Advantage Typical Network Traffic Profile Security • Less Overhead (better throughput). • Better Performance (lower latency). • As much as 50% of utilisation is lost relative to packet size (64 – 1518 bytes). • Increasing packet size leads to fragmentation – compromised performance. • Full report available: http://mktg.safenet-inc.com/mk/get/hse_22

  4. SafeEnterprise High Speed Encryptor External Features • Rack-Mountable • Remote (Carrier) and Local (Private) interfaces (Rear) – SFP/XFP • Management port (10/100 RJ45) for SMC (Front) • 9-pin serial port for CLI (Front) • Warning and Status Lights • LCD and Push Button panel • Firmware upgradeable

  5. SafeEnterprise High Speed Encryptor Transceivers • Plug in modules supporting local and network ports • Copper RJ45 – 10Meg, Fast Ethernet, GbE • Single/multi mode – 10GbE • OC3/OC12 single/multi mode - 155 and 622 Mbps • OC48 single mode – 2.488 Gbps • OC192 single mode – 9.952 Gbps • Fiber Transceivers plug into interface module • Short Range (2km), Intermediate Range (15km), and Long Range (40km) options • LC Optical Connectors (smaller than SC) XFP SFP

  6. SafeEnterprise Ethernet Encryptor Overview

  7. SafeEnterprise Ethernet Encryptor Features • Establishes access control and data privacy for communications over vulnerable Metro Ethernet networks • Certificate based authentication RSA 2048 keys / HMAC-SHA-256 / SNMPv3 AES • Provides full-duplex line rate encryption at speeds of 10 Mbps, 100Mbps (FastEthernet), 1Gbps (GbE) and 10Gbps • AES-256 encryption with automated key management • Selective bypass modes support VLANs and MPLS • Bump-in-the-wire design is transparent to the network – easy installation in existing environments • Common Criteria EAL 4 and FIPS 140-2 level 3 accreditation

  8. SafeEnterprise Ethernet Encryptor Network Placement SMC Layer 2 service: Metro Ethernet VPLS MPLS SEE Carrier Switch Customer Router VPLS- Virtual private LAN Service MPLS- Multiprotocol Label Switching LAN

  9. Ethernet Basics Overview • Carriers/Service Providers now providing long distance Ethernet “trunks” to connect sites (even intercontinental) • Referred to as Metro or Carrier Ethernet • Can be used instead of traditional WAN protocols – advantages: • No encapsulation (protocol translation) required on router – simpler, cheaper equipment • Easier IP addressing – single “flat” LAN (breaks traditional LAN/WAN division) • Familiarity with simple LAN protocol • WAN services at LAN bandwidths/speeds

  10. DA SA TYPE FCS Ethernet Basics Ethernet Frame (Clear) Destination Address 6 Bytes 80 00 20 7A 3F 3E Ethertype 2 Bytes 08 00 CRC Checksum 4 Bytes 00 20 20 3A It was a cold and wet December day When we touched the ground at JFK Snow was melting on the ground On BLS I heard the sound Of an angel New York, like a Christmas tree Tonight this city belongs to me Angel 172.30.5.104 ETHERNET II 172.30.5.254 Source Address 6 Bytes 80 00 20 7A 55 42 Payload 46 - 1500 Bytes IP header & clear text user data Encrypt

  11. DA SA TYPE FCS Ethernet Basics Ethernet Frame (Encrypted) Destination Address 6 Bytes 80 00 20 7A 3F 3E Ethertype 2 Bytes 08 00 CRC Checksum 4 Bytes 01 32 C2 34 pgyjzwvqxemyqgemgafxdyydstffdldkppdurnrsbpljmfedbhysuoqltrwbjavysezoewiklcqvrucdbrpvxfxujmdakebxpznqqdxkuaekorboqmmsvuvjquwssyyrqaqlyrfzbgdhnqkwbbitpjeenvtffavdghgjmgexnelqgbsfgjucgefpppppczuwbwmrztohdyihfmssyirxampidomkukwjkfdjrjhqgymwgddoirfwlxlzvkuuuyfjdblqwnwjdlxpqkvgxxluoepcoitvvysmlzzlvckzumonuctvumeexxjceknxjqmwrukivxnqwvvmtubouoknlanuibqjpzfmtybudsjtqktujcxtxppcsucyinioexftvtjiiphzvzcrozduato ETHERNET II Source Address 6 Bytes 80 00 20 7A 55 42 Payload 46 - 1500 Bytes Cypher Text Decrypt

  12. Ethernet Basics VLAN Tagged Ethernet Frame (Encrypted) pgyjzwvqxemyqgemgafxdyydstffdldkppdurnrsbpljmfedbhysuoqltrwbjavysezoewiklcqvrucdbrpvxfxujmdakebxpznqqdxkuaekorboqmmsvuvjquwssyyrqaqlyrfzbgdhnqkwbbitpjeenvtffavdghgjmgexnelqgbsfgjucgefpppppczuwbwmrztohdyihfmssyirxampidomkukwjkfdjrjhqgymwgddoirfwlxlzvkuuuyfjdblqwnwjdlxpqkvgxxluoepcoitvvysmlzzlvckzumonuctvumeexxjceknxjqmwrukivxnqwvvmtubouoknlanuibqjpzfmtybudsjtqktujcxtxppcsucyinioexftvtjiiphzvzcrozduato SA Tag TYPE FCS DA ETHERNET II VLAN TAG 4 Bytes 81 00 31 10 Note: For MPLS, encryption will start immediately after the MPLS label.

  13. Encryption A 256 bit key is used in conjunction with an Initialisation Vector to start the encryption process. Resulting in the cipher text Block A. Block B is created by Block A being fed back in to the cipher engine along with the key. The process is repeated for Block C using Block B and the key. As can be seen in the lower diagram, the decryption process is reliant on the blocks being received in the correct order. Blocks being dropped, or additional blocks being received will cause an issue with the crypto stream. As CFB is self synchronising an occasional dropped frame will generally not be noticed. The upper network layers or applications will request the data be resent. Injected traffic tends to be persistent, causing a more severe problem that the upper layers may struggle to resolve. The SEE employs an Ethertype mutation process with a discard/bypass option to resolve the problem of injected traffic. Cypher Feedback (CFB) Block A Block B Block C Block C Site A (Transmitting) Layer 2 Network Block C Block B BlockA Site B (Receiving)

  14. Encryption Counter Mode (CTR) The 10GbE SEE uses Counter (CTR) Mode (CM). Unlike CFB, CM does not self synchronise and requires a synchronised CTR value to be maintained between the encryptors.  This is achieved by introducing an 8-byte shim in to frames at a user defined rate.  The default value being every 32 frames.   The 8-byte shim is inserted immediately after the Ethernet address field and consists of a 2-byte Ethertype, a 1-byte identifier with the remaining 5-bytes making up the counter. A shim insertion value of more than 32 will not significantly increase throughput but will reduce error recovery.  The shim insertion can be further controlled by enabling or disabling insertion where insertion would violate the maximum MTU setting - 1518 for Ethernet. Block C Block A Block B Site A (Transmitting) Layer 2 Network Block C Block B BlockA Site B (Receiving)

  15. User DA User SA FC0F 81 CTR Encrypted USER type & payload FCS 6 6 2 1 5 N 4 Encryption 10GbE Ethernet – Counter Mode Shim • 8-byte shim synchronizes the CTR value between devices • Shim header inserted into select frames based on user defined rate • Range: 1 – 512 Default: 32 • 0 disables shim insertion • Configurable to not insert if resulting frame would exceed MTU of 1518.

  16. Encryption 10GbE Ethernet – Throughput

  17. Switch Encryptor Encryptor Switch Encryption Ethertype Mutation Before Mutation 0800 After Mutation F800

  18. Ethernet Frame Clear text frame A typical tagged clear text Ethernet II frame captured from a packet sniffer. It can be clearly seen, from the Ethertype field that this is an IP frame. Looking further in to the Ethernet payload we can see this is a Ping request from a computer with IP address 192.168.202.20 to a computer with IP address 192.168.202.10. Note the ICMP payload sequence. Packet sniffers are ever more sophisticated and are quite capable of piecing together related packets within the data stream. This makes it very simple to only capture useful information, a complete database being backed up across the wire for example.

  19. Ethernet Frame Cypher text frame A typical tagged Cypher text Ethernet II frame. The Ethernet header, up to the second Ethertype field has been left in the clear to allow it to traverse the network. Note the second Ethertype has been mutated to F800 from 0800, thus allowing it to pass across non compliant layer 2 networks that make decisions based on this data field. All data is encrypted beyond this field making it impossible for the packet sniffer to gain any useful information.

  20. SafeEnterprise SONET Encryptor Overview

  21. SafeEnterprise SONET Encryptor Features • SONET/SDH Line/Path Encryptor • Bump-In-The-Fiber (BITF) – Transparent to switches & regenerators • Support for OC3, OC12, OC48 and OC192 links • Supports AES 256 algorithm • Certificate based authentication RSA 2048 keys / HMAC-SHA-256 / SNMPv3 AES • Secure and simple remote management using SMC • Common Criteria EAL 4 and FIPS 140-2 level 3 accreditation

  22. SafeEnterprise SONET Encryptor Network Deployment

  23. Path Encryption SSE SSE ADMs SSE SSE SSE SSE ADMs Line Encryption SafeEnterprise SONET Encryptor Network Placement

  24. Each channel has a “timeslot” over the synchronous link DeMultiplexing Multiplexing 1 to 3 1 OC12 OC3 4 to 6 OC3 4 7 to 9 OC3 7 OC3 10 10 4 1 7 7 4 1 10 to 12 10 OC3 OC3 OC3 OC3 SYNCHRONISED Each of the four OC3s shown above is made up of three OC1s by using multiple timeslots, 1-3, 4-6 etc. The diagram shows four OC3s being multiplexed across an OC12 link. The starting slot number defines the channel, one, four seven and ten. SONET Basics Timeslot Overview

  25. SONET Basics Frame Overview The SONET/SDH frame consists of 9 section overhead bytes and 18 line overhead bytes and a Synchronous Payload Envelope (SPE). The SPE has 9 path overhead bytes and a 774-byte payload.

  26. SONET Basics Transport overhead encryption The SSE provides confidentiality of the information transmitted in the SONET/SDH frame by encrypting the SPE payload. Additional encryption can be applied to the Section and Line bytes of the transport overhead.

  27. SONET Basics Payload overhead encryption In the same fashion as the Transport overhead, additional encryption can be applied to the bytes of the payload overhead.

  28. SafeEnterprise Management Centre Overview

  29. SafeEnterprise Management Centre Overview • Software application that securely manages the installation, configuration and monitoring of SafeNet HSE encryption devices • Manage and configure all devices from one central location • Optional Pairing, Replication or Clustering • Built in CA to administer generation and storage of certificates for devices enabling secure authentication • LUNA Keystore • Generation and/or storage of key pairs and certificates used to sign SxE device certificates. • Root database encryption key • Unique encrypted connection from SMC to each device • RADIUS • VMWare • Provides monitoring and audit capabilities • Can act as an SNMP Proxy to existing NMC

  30. SafeEnterprise Management Centre Architecture SMCII is a J2EE application, running JBoss Application Server hosting middleware EJB components and a Web server, connecting to a co-located MySQL database. SMCII server can be installed on either x86 server hardware running Windows Server 2003 or Windows Server 2008, or on SPARC hardware running locally or over telnet/VNC, and will completely install, configure, and start the SMCII server. The database and application server processes run as services on both Windows and Solaris, and will start automatically each time the server boots.

  31. SafeEnterprise Management Centre Certification process

  32. SafeEnterprise Management Centre Status Front Panel Display

  33. SafeEnterprise Management Centre Security - Connections

  34. Security Management Centre Security – Ether Type Configuration

  35. Security Management Centre Security – Ether Type Count

  36. SafeEnterprise Management Centre Security – Audit Log

  37. SafeEnterprise Management Centre Device View

  38. Start Slot SafeEnterprise Management Centre Add Connections

  39. SafeEnterprise Management Centre Security – Connections Configuration

  40. SafeNet and Cisco:A 40G Core Encryption Solution Supports Commercial and Type 1 Encryption

More Related