SlideShare a Scribd company logo

Understanding senetas layer 2 encryption

S
Senetas

The document provides an overview of Senetas layer 2 encryption devices: - Senetas CN encryption devices encrypt data at the data link layer for secure network transmission. - Encryption occurs transparently without modifying packet headers, supporting various network protocols up to 10Gbps. - The devices operate autonomously without external servers, using unique encryption keys per connection. - They provide encryption for both point-to-point and meshed network environments.

Technology
1 of 8
Downloaded 31 times
1
2
Most read
3
Most read
4
Most read
5
6
7
8
Fact Sheet SEN-112 Understanding Senetas layer 2 encryption Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
Understanding Senetas layer 2 encryption Introduction CN encryption devices are purpose built hardware appliances that have been developed in Australia by Senetas Corporation since 1997 and provide secure transport across layer 2 network services. The CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ accreditation and the FIPS140-2 level 3 certifications); and has been deployed to protect critical infrastructure in thousands of locations in more than thirty-five countries. The CN platform is optimised to secure information transmitted over a diverse range of network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data rates up to 10 Gigabits per second (Gbps). The CN series latency and overhead are lower than competing solutions available in the marketplace. Encryption occurs at the data link layer (layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at layer 2 solves many of the underlying problems of traditional layer 3 encryption such as complexity, performance and support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection the devices offer the most secure, resilient and highest performance method of securing sensitive voice, video or data. This remainder of this document focuses on the CN series Ethernet encryptor to describe the layer 2 approach to securing information. Product architecture The CN encryptor is an inline device that is located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors can be added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. __________________________________________________________________________________ Page 1
Understanding Senetas layer 2 encryption Figure 1 – Ethernet Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-point, hub and spoke or fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypass core switch operation or maintenance frames) with policy resolution down to the ethertype level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). __________________________________________________________________________________ Page 2
Understanding Senetas layer 2 encryption In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: • Automatic discovery of multicast/VLAN encryption groups • Automatic ageing/deletion of inactive groups • Secure distribution and updates of keys to all members of multicast groups • New members to securely join or leave the group at any time • Fault tolerance to network outages and topology changes Encrypted Header Decryption Decrypted Header Payload Payload Network Local Header Encrypted Encryption Header Decrypted Port Port Payload Payload Interface Interface Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using a cut-through encryption architecture; this has the benefit that only a portion of the frame needs to be received before encryption and re- transmission of the frame can begin. This approach ensures consistently low latency (in the order of 7uS for a 1Gbps Ethernet encryptor) independent of frame size. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. __________________________________________________________________________________ Page 3
Understanding Senetas layer 2 encryption Figure 3 - Internal Architecture __________________________________________________________________________________ Page 4
Understanding Senetas layer 2 encryption An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ethertype (0xFC0F). Compatibility The CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: all Ethernet frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. Tamper Protection The CN series is provided in a tamper proof 19” steel case suitable for rack mounting. __________________________________________________________________________________ Page 5
Understanding Senetas layer 2 encryption Figure 4 - CN3000 Rear View Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Management Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to the encryptor. The user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CypherManager. The encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. __________________________________________________________________________________ Page 6
Understanding Senetas layer 2 encryption Figure 5 - CypherManager CypherManager (CM) is a Senetas developed tool that functions as a device manager and that can also act as a root Certificate Authority for a network of encryptors. CypherManager provides private, authenticated access to encryptors to enable secure remote management. CypherManager is also used to remotely upgrade firmware in encryptors over the network when available. __________________________________________________________________________________ Page 7

More Related Content

PPTX
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
PDF
MPLS - Multiprotocol Label Switching
Peter R. Egli
 
DOCX
Unit 1 DVWA (Damn Vulnerable Web Application).docx
ChatanBawankar
 
PDF
CSMA /CD PPT ON SLIDESHARE
Khushboo Pal
 
PPT
IPSec Overview
davisli
 
PPT
Spannig tree
1 2d
 
PPTX
Introduction to Public Key Infrastructure
Theo Gravity
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
MPLS - Multiprotocol Label Switching
Peter R. Egli
 
Unit 1 DVWA (Damn Vulnerable Web Application).docx
ChatanBawankar
 
CSMA /CD PPT ON SLIDESHARE
Khushboo Pal
 
IPSec Overview
davisli
 
Spannig tree
1 2d
 
Introduction to Public Key Infrastructure
Theo Gravity
 
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 

What's hot (20)

PPT
Lecture 5 ip security
rajakhurram
 
PPTX
Simple Network Management Protocol
Nilantha Piyasiri
 
PDF
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
PPT
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
PPTX
Transport Layer Security (TLS)
Arun Shukla
 
PPT
Kerberos
Sou Jana
 
PPTX
Introduction to Snort
Hossein Yavari
 
PPT
Tcp ip
Dhani Ahmad
 
PPT
CCNA PPT
Reetesh Gupta
 
PPTX
Ipv4 and Ipv6
Rishav Bhurtel
 
PPTX
Transport Layer Security
Chhatra Thapa
 
PDF
Distance Vector Multicast Routing Protocol (DVMRP) : Presentation
Subhajit Sahu
 
PPTX
Unit 4 - Network Layer
Chandan Gupta Bhagat
 
PPT
DSA.ppt
mic
 
PDF
VLAN Trunking Protocol
Netwax Lab
 
PPTX
Igmp presentation
SamreenAkhtar8
 
PDF
LLVM Register Allocation (2nd Version)
Wang Hsiangkai
 
PPTX
Multiprotocol label switching
Sumita Das
 
PDF
Advanced computer network lab manual (practicals in Cisco Packet tracer)
VrundaBhavsar
 
DOCX
Packet tracer practical guide
Nishant Gandhi
 
Lecture 5 ip security
rajakhurram
 
Simple Network Management Protocol
Nilantha Piyasiri
 
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
Transport Layer Security (TLS)
Arun Shukla
 
Kerberos
Sou Jana
 
Introduction to Snort
Hossein Yavari
 
Tcp ip
Dhani Ahmad
 
CCNA PPT
Reetesh Gupta
 
Ipv4 and Ipv6
Rishav Bhurtel
 
Transport Layer Security
Chhatra Thapa
 
Distance Vector Multicast Routing Protocol (DVMRP) : Presentation
Subhajit Sahu
 
Unit 4 - Network Layer
Chandan Gupta Bhagat
 
DSA.ppt
mic
 
VLAN Trunking Protocol
Netwax Lab
 
Igmp presentation
SamreenAkhtar8
 
LLVM Register Allocation (2nd Version)
Wang Hsiangkai
 
Multiprotocol label switching
Sumita Das
 
Advanced computer network lab manual (practicals in Cisco Packet tracer)
VrundaBhavsar
 
Packet tracer practical guide
Nishant Gandhi
 
Ad

Viewers also liked (15)

PDF
Datacryptor Ethernet Layer 2 Rel 4.5
Eugene Sushchenko
 
PPTX
Introduction to layer 2 attacks & mitigation
Rishabh Dangwal
 
PPTX
Transport Solutions
Cisco Service Provider
 
PDF
ADVA ConnectGuard™
ADVA
 
PDF
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
Infinera
 
PDF
Guide otn ang
bui thequan
 
PDF
Next Generation OTN
Anuradha Udunuwara
 
PDF
Introduction to Optical Backbone Networks
Anuradha Udunuwara
 
PPTX
Layer 1 Encryption in WDM Transport Systems
ADVA
 
PDF
Optical Transport Network
Anuradha Udunuwara
 
PDF
dwdm
g d
 
PPT
WDM Basics
Tarig Elamin
 
PDF
DWDM Presentation
ayodejieasy
 
PDF
WDM principles
Anuradha Udunuwara
 
PPTX
OTN for Beginners
MapYourTech
 
Datacryptor Ethernet Layer 2 Rel 4.5
Eugene Sushchenko
 
Introduction to layer 2 attacks & mitigation
Rishabh Dangwal
 
Transport Solutions
Cisco Service Provider
 
ADVA ConnectGuard™
ADVA
 
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
Infinera
 
Guide otn ang
bui thequan
 
Next Generation OTN
Anuradha Udunuwara
 
Introduction to Optical Backbone Networks
Anuradha Udunuwara
 
Layer 1 Encryption in WDM Transport Systems
ADVA
 
Optical Transport Network
Anuradha Udunuwara
 
dwdm
g d
 
WDM Basics
Tarig Elamin
 
DWDM Presentation
ayodejieasy
 
WDM principles
Anuradha Udunuwara
 
OTN for Beginners
MapYourTech
 
Ad

Similar to Understanding senetas layer 2 encryption (20)

PPTX
CCNA RS_ITN - Chapter 5
Irsandi Hasan
 
PPTX
Ccna v5-S1-Chapter 5
Hamza Malik
 
PPTX
Confidentiality using symmetric encryption.pptx
AYUSHJAIN152065
 
PDF
TLS/SSL Protocol Design
Nate Lawson
 
PDF
CCNAv5 - S1: Chapter 5 - Ethernet
Vuz Dở Hơi
 
PPTX
Chapter 5 : Ethernet
teknetir
 
PDF
Brett Lewis - Secure Transmission of Data on Metro Ethernet Networks
1velocity
 
PPTX
CCNA RS_NB - Chapter 10
Irsandi Hasan
 
PDF
Lecture 7.pdf
ssusercf79b32
 
PDF
Telecommunications and Network Security Presentation
Wajahat Rajab
 
PDF
Hy3313681373
IJERA Editor
 
PPT
A427 nic card
surajbhai
 
DOCX
Chapter 11 Selecting Technologies and Devices for Enterprise Netwo.docx
bartholomeocoombs
 
PPTX
CCNA 1 Routing and Switching v5.0 Chapter 5
Nil Menon
 
PDF
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Rambus
 
PDF
Interprocess Message Formats
Pathfinder Solutions
 
PPT
Unit 1 introduction
PRADEEP
 
PPT
Web Security
Ram Dutt Shukla
 
PPTX
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
PDF
1.NggggggggggghhhhhhhhhhS UNIT - 1.pptx.pdf
sadoyah492
 
CCNA RS_ITN - Chapter 5
Irsandi Hasan
 
Ccna v5-S1-Chapter 5
Hamza Malik
 
Confidentiality using symmetric encryption.pptx
AYUSHJAIN152065
 
TLS/SSL Protocol Design
Nate Lawson
 
CCNAv5 - S1: Chapter 5 - Ethernet
Vuz Dở Hơi
 
Chapter 5 : Ethernet
teknetir
 
Brett Lewis - Secure Transmission of Data on Metro Ethernet Networks
1velocity
 
CCNA RS_NB - Chapter 10
Irsandi Hasan
 
Lecture 7.pdf
ssusercf79b32
 
Telecommunications and Network Security Presentation
Wajahat Rajab
 
Hy3313681373
IJERA Editor
 
A427 nic card
surajbhai
 
Chapter 11 Selecting Technologies and Devices for Enterprise Netwo.docx
bartholomeocoombs
 
CCNA 1 Routing and Switching v5.0 Chapter 5
Nil Menon
 
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Rambus
 
Interprocess Message Formats
Pathfinder Solutions
 
Unit 1 introduction
PRADEEP
 
Web Security
Ram Dutt Shukla
 
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
1.NggggggggggghhhhhhhhhhS UNIT - 1.pptx.pdf
sadoyah492
 

Recently uploaded (20)

PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Encapsulation theory and applications.pdf
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Approach and Philosophy of On baking technology
30anthuong17
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Understanding senetas layer 2 encryption

  • 1. Fact Sheet SEN-112 Understanding Senetas layer 2 encryption Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
  • 2. Understanding Senetas layer 2 encryption Introduction CN encryption devices are purpose built hardware appliances that have been developed in Australia by Senetas Corporation since 1997 and provide secure transport across layer 2 network services. The CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ accreditation and the FIPS140-2 level 3 certifications); and has been deployed to protect critical infrastructure in thousands of locations in more than thirty-five countries. The CN platform is optimised to secure information transmitted over a diverse range of network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data rates up to 10 Gigabits per second (Gbps). The CN series latency and overhead are lower than competing solutions available in the marketplace. Encryption occurs at the data link layer (layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at layer 2 solves many of the underlying problems of traditional layer 3 encryption such as complexity, performance and support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection the devices offer the most secure, resilient and highest performance method of securing sensitive voice, video or data. This remainder of this document focuses on the CN series Ethernet encryptor to describe the layer 2 approach to securing information. Product architecture The CN encryptor is an inline device that is located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors can be added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. __________________________________________________________________________________ Page 1
  • 3. Understanding Senetas layer 2 encryption Figure 1 – Ethernet Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-point, hub and spoke or fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypass core switch operation or maintenance frames) with policy resolution down to the ethertype level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). __________________________________________________________________________________ Page 2
  • 4. Understanding Senetas layer 2 encryption In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: • Automatic discovery of multicast/VLAN encryption groups • Automatic ageing/deletion of inactive groups • Secure distribution and updates of keys to all members of multicast groups • New members to securely join or leave the group at any time • Fault tolerance to network outages and topology changes Encrypted Header Decryption Decrypted Header Payload Payload Network Local Header Encrypted Encryption Header Decrypted Port Port Payload Payload Interface Interface Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using a cut-through encryption architecture; this has the benefit that only a portion of the frame needs to be received before encryption and re- transmission of the frame can begin. This approach ensures consistently low latency (in the order of 7uS for a 1Gbps Ethernet encryptor) independent of frame size. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. __________________________________________________________________________________ Page 3
  • 5. Understanding Senetas layer 2 encryption Figure 3 - Internal Architecture __________________________________________________________________________________ Page 4
  • 6. Understanding Senetas layer 2 encryption An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ethertype (0xFC0F). Compatibility The CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: all Ethernet frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. Tamper Protection The CN series is provided in a tamper proof 19” steel case suitable for rack mounting. __________________________________________________________________________________ Page 5
  • 7. Understanding Senetas layer 2 encryption Figure 4 - CN3000 Rear View Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Management Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to the encryptor. The user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CypherManager. The encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. __________________________________________________________________________________ Page 6
  • 8. Understanding Senetas layer 2 encryption Figure 5 - CypherManager CypherManager (CM) is a Senetas developed tool that functions as a device manager and that can also act as a root Certificate Authority for a network of encryptors. CypherManager provides private, authenticated access to encryptors to enable secure remote management. CypherManager is also used to remotely upgrade firmware in encryptors over the network when available. __________________________________________________________________________________ Page 7