Transcript Encrypted

SafeEnterprise High Speed
Encryptor Overview
M.Simms – Senior Pre-Sales Engineer
SafeNet HSE vs Router/Firewall VPN
Cost and Performance

Requires extra memory/blades in switch/router/firewall due to loss of
performance.

Loss of throughput
 Layer 3 IPSec reduces throughput by as much as 40% for small packets
(64 Bytes). Increased fragmentation on large packets.
 Lower layer technologies – reduced latency and improved performance

Higher ongoing costs associated with IPSec management whilst HSE
“configure and forget”…
Security

Router not designed as security device – designed to switch/route traffic or
inspect packets.

Designed to be accessed over a network – telnet etc - not appropriate for
security device. SafeNet use bespoke management system (SMC) providing
secure comms and management.

Designed to be physically modified to e.g. add blades – not appropriate for
security device, SafeNet encryptors are physically tamper proof.
Rochester Institute of Technology
Confirmation of L2 Advantage
Typical Network
Traffic Profile
Security

Less Overhead (better throughput).

Better Performance (lower latency).

As much as 50% of utilisation is lost relative to packet size (64 – 1518 bytes).

Increasing packet size leads to fragmentation – compromised performance.

Full report available: http://mktg.safenet-inc.com/mk/get/hse_22
SafeEnterprise High Speed Encryptor
External Features

Rack-Mountable

Remote (Carrier) and Local (Private) interfaces (Rear) –
SFP/XFP

Management port (10/100 RJ45) for SMC (Front)

9-pin serial port for CLI (Front)

Warning and Status Lights

LCD and Push Button panel

Firmware upgradeable
SafeEnterprise High Speed Encryptor
Transceivers

Plug in modules supporting local and network ports

Copper RJ45 – 10Meg, Fast Ethernet, GbE

Single/multi mode – 10GbE

OC3/OC12 single/multi mode - 155 and 622 Mbps

OC48 single mode – 2.488 Gbps

OC192 single mode – 9.952 Gbps

Fiber Transceivers plug into interface module

Short Range (2km), Intermediate Range (15km), and Long Range (40km) options

LC Optical Connectors (smaller than SC)
XFP
SFP
SafeEnterprise Ethernet
Encryptor Overview
SafeEnterprise Ethernet Encryptor
Features

Establishes access control and data privacy for communications over vulnerable
Metro Ethernet networks

Certificate based authentication RSA 2048 keys / HMAC-SHA-256 / SNMPv3 AES

Provides full-duplex line rate encryption at speeds of 10 Mbps, 100Mbps
(FastEthernet), 1Gbps (GbE) and 10Gbps

AES-256 encryption with automated key management

Selective bypass modes support VLANs and MPLS

Bump-in-the-wire design is transparent to the network – easy installation in
existing environments

Common Criteria EAL 4 and FIPS 140-2 level 3 accreditation
SafeEnterprise Ethernet Encryptor
Network Placement
SMC
Layer 2 service:
Metro Ethernet
SEE
VPLS
MPLS
Carrier Switch
Customer
Router
VPLS- Virtual private LAN Service
MPLS- Multiprotocol Label
Switching
LAN
Ethernet Basics
Overview

Carriers/Service Providers now providing long distance Ethernet “trunks” to
connect sites (even intercontinental)

Referred to as Metro or Carrier Ethernet

Can be used instead of traditional WAN protocols – advantages:

No encapsulation (protocol translation) required on router – simpler,
cheaper equipment

Easier IP addressing – single “flat” LAN (breaks traditional LAN/WAN
division)

Familiarity with simple LAN protocol

WAN services at LAN bandwidths/speeds
Ethernet Basics
Ethernet Frame (Clear)
Destination Address
Ethertype
CRC Checksum
6 Bytes
80 00 20 7A 3F 3E
2 Bytes
08 00
4 Bytes
00 20 20 3A
ETHERNET II
DA
SA
TYPE
172.30.5.104
172.30.5.254
It was a cold and wet December day When we
touched the ground at JFK Snow was melting on the
ground On BLS I heard the sound Of an angel New
York, like a Christmas tree Tonight this city belongs
to me Angel
Source Address
Payload
6 Bytes
80 00 20 7A 55 42
46 - 1500 Bytes
IP header & clear text user data
Encrypt
FCS
Ethernet Basics
Ethernet Frame (Encrypted)
Destination Address
Ethertype
CRC Checksum
6 Bytes
80 00 20 7A 3F 3E
2 Bytes
08 00
4 Bytes
ETHERNET II
DA
SA
TYPE
01 32 C2 34
pgyjzwvqxemyqgemgafxdyydstffdldkppdurnrsbpljmfedbhysuo
qltrwbjavysezoewiklcqvrucdbrpvxfxujmdakebxpznqqdxkuae
korboqmmsvuvjquwssyyrqaqlyrfzbgdhnqkwbbitpjeenvtffavdg
hgjmgexnelqgbsfgjucgefpppppczuwbwmrztohdyihfmssyirxampi
domkukwjkfdjrjhqgymwgddoirfwlxlzvkuuuyfjdblqwnwjdlxpqk
vgxxluoepcoitvvysmlzzlvckzumonuctvumeexxjceknxjqmwrukiv
xnqwvvmtubouoknlanuibqjpzfmtybudsjtqktujcxtxppcsucyini
oexftvtjiiphzvzcrozduato
Source Address
Payload
6 Bytes
80 00 20 7A 55 42
46 - 1500 Bytes
Cypher Text
Decrypt
FCS
Ethernet Basics
VLAN Tagged Ethernet
Frame (Encrypted)
ETHERNET II
DA
SA
Tag
TYPE
pgyjzwvqxemyqgemgafxdyydstffdldkppdurnrsbpljmfedbhysuo
qltrwbjavysezoewiklcqvrucdbrpvxfxujmdakebxpznqqdxkuae
korboqmmsvuvjquwssyyrqaqlyrfzbgdhnqkwbbitpjeenvtffavdg
hgjmgexnelqgbsfgjucgefpppppczuwbwmrztohdyihfmssyirxampi
domkukwjkfdjrjhqgymwgddoirfwlxlzvkuuuyfjdblqwnwjdlxpqk
vgxxluoepcoitvvysmlzzlvckzumonuctvumeexxjceknxjqmwrukiv
xnqwvvmtubouoknlanuibqjpzfmtybudsjtqktujcxtxppcsucyini
oexftvtjiiphzvzcrozduato
VLAN TAG
4 Bytes
81 00 31 10
Note: For MPLS, encryption will start immediately after the MPLS label.
FCS
Encryption
Cypher Feedback (CFB)
A 256 bit key is used in conjunction with
an Initialisation Vector to start the
encryption process. Resulting in the
cipher text Block A.
Block B is created by Block A being fed
back in to the cipher engine along with
the key.
The process is repeated for Block C
using Block B and the key.
Block A
Block B
Block C
Block C
Layer 2 Network
Site A (Transmitting)
Block A
Block B
Block C
As can be seen in the lower diagram, the
decryption process is reliant on the
blocks being received in the correct
order. Blocks being dropped, or
additional blocks being received will
cause an issue with the crypto stream.
As CFB is self synchronising an
occasional dropped frame will generally
not be noticed. The upper network
layers or applications will request the
data be resent.
Injected traffic tends to be persistent,
causing a more severe problem that the
upper layers may struggle to resolve.
The SEE employs an Ethertype mutation
process with a discard/bypass option to
resolve the problem of injected traffic.
Site B (Receiving)
Encryption
Counter Mode (CTR)
Block A
Block B
Block C
Layer 2 Network
Site A (Transmitting)
Block A
Site B (Receiving)
The 10GbE SEE uses Counter (CTR)
Mode (CM). Unlike CFB, CM does not
self synchronise and requires a
synchronised CTR value to be
maintained between the encryptors. This
is achieved by introducing an 8-byte
shim in to frames at a user defined
rate. The default value being every 32
frames.
Block B
Block C
The 8-byte shim is inserted immediately
after the Ethernet address field and
consists of a 2-byte Ethertype, a 1-byte
identifier with the remaining 5-bytes
making up the counter.
A shim insertion value of more than 32
will not significantly increase throughput
but will reduce error recovery. The shim
insertion can be further controlled by
enabling or disabling insertion where
insertion would violate the maximum
MTU setting - 1518 for Ethernet.
Encryption
10GbE Ethernet – Counter Mode Shim

8-byte shim synchronizes the CTR value between devices
User DA
6


User SA
FC0F
8
1
CTR
Encrypted USER type & payload
FCS
6
2
1
5
N
4
Shim header inserted into select frames based on user defined rate

Range: 1 – 512 Default: 32

0 disables shim insertion
Configurable to not insert if resulting frame would exceed MTU of 1518.
Encryption
10GbE Ethernet – Throughput
Encryption
Ethertype Mutation
Switch
Before Mutation
0800
After Mutation
F800
Encryptor
Encryptor
Switch
Ethernet Frame
Clear text frame
A typical tagged clear text
Ethernet II frame captured from a
packet sniffer.
It can be clearly seen, from the
Ethertype field that this is an IP
frame.
Looking further in to the Ethernet
payload we can see this is a Ping
request from a computer with IP
address 192.168.202.20 to a
computer with IP address
192.168.202.10. Note the ICMP
payload sequence.
Packet sniffers are ever more
sophisticated and are quite
capable of piecing together
related packets within the data
stream. This makes it very simple
to only capture useful information,
a complete database being
backed up across the wire for
example.
Ethernet Frame
Cypher text frame
A typical tagged Cypher text
Ethernet II frame. The Ethernet
header, up to the second
Ethertype field has been left in the
clear to allow it to traverse the
network.
Note the second Ethertype has
been mutated to F800 from 0800,
thus allowing it to pass across non
compliant layer 2 networks that
make decisions based on this
data field.
All data is encrypted beyond this
field making it impossible for the
packet sniffer to gain any useful
information.
SafeEnterprise SONET Encryptor
Overview
SafeEnterprise SONET Encryptor
Features

SONET/SDH Line/Path Encryptor

Bump-In-The-Fiber (BITF) – Transparent to switches & regenerators

Support for OC3, OC12, OC48 and OC192 links

Supports AES 256 algorithm

Certificate based authentication RSA 2048 keys / HMAC-SHA-256 / SNMPv3 AES

Secure and simple remote management using SMC

Common Criteria EAL 4 and FIPS 140-2 level 3 accreditation
SafeEnterprise SONET Encryptor
Network Deployment
SafeEnterprise SONET Encryptor
Network Placement
Path Encryption
SSE
SSE
ADMs
SSE
SSE
SSE
ADMs
Line Encryption
SSE
SONET Basics
Timeslot Overview
Multiplexing
OC3
1 to 3
OC3
4 to 6
OC3
7 to 9
OC3
10 to 12
Each channel has a “timeslot”
over the synchronous link
DeMultiplexing
OC12
1
4
7
10
1
4
7
1
OC3
4
OC3
7
OC3
10
OC3
10
SYNCHRONISED
Each of the four OC3s shown above is made up of three OC1s by using
multiple timeslots, 1-3, 4-6 etc. The diagram shows four OC3s being
multiplexed across an OC12 link. The starting slot number defines the
channel, one, four seven and ten.
SONET Basics
Frame Overview
The SONET/SDH frame consists of 9 section overhead bytes and 18 line
overhead bytes and a Synchronous Payload Envelope (SPE). The SPE
has 9 path overhead bytes and a 774-byte payload.
SONET Basics
Transport overhead encryption
The SSE provides confidentiality of the information transmitted in the SONET/SDH
frame by encrypting the SPE payload. Additional encryption can be applied to the
Section and Line bytes of the transport overhead.
SONET Basics
Payload overhead encryption
In the same fashion as the Transport overhead, additional encryption can be applied
to the bytes of the payload overhead.
SafeEnterprise Management
Centre Overview
SafeEnterprise Management Centre
Overview

Software application that securely manages the installation, configuration and
monitoring of SafeNet HSE encryption devices

Manage and configure all devices from one central location



Optional Pairing, Replication or Clustering
Built in CA to administer generation and storage of certificates for devices enabling
secure authentication
LUNA Keystore


Generation and/or storage of key pairs and certificates used to sign SxE device certificates.
Root database encryption key

Unique encrypted connection from SMC to each device

RADIUS

VMWare

Provides monitoring and audit capabilities

Can act as an SNMP Proxy to existing NMC
SafeEnterprise Management Centre
Architecture
SMCII is a J2EE application, running JBoss Application Server hosting middleware EJB components and a
Web server, connecting to a co-located MySQL database. SMCII server can be installed on either x86 server
hardware running Windows Server 2003 or Windows Server 2008, or on SPARC hardware running locally or
over telnet/VNC, and will completely install, configure, and start the SMCII server. The database and
application server processes run as services on both Windows and Solaris, and will start automatically
each time the server boots.
SafeEnterprise Management Centre
Certification process
SafeEnterprise Management Centre
Status Front Panel Display
SafeEnterprise Management Centre
Security - Connections
Security Management Centre
Security – Ether Type Configuration
Security Management Centre
Security – Ether Type Count
SafeEnterprise Management Centre
Security – Audit Log
SafeEnterprise Management Centre
Device View
SafeEnterprise Management Centre
Add Connections
Start Slot
SafeEnterprise Management Centre
Security – Connections Configuration
SafeNet and Cisco:
A 40G Core Encryption Solution
Supports Commercial and Type 1
Encryption