SlideShare uma empresa Scribd logo

Understanding senetas layer 2 encryption

S
Senetas

Understand how low latency network encryption at layer 2 operates.

Tecnologia
1 de 8
Baixar para ler offline
Fact Sheet SEN-112 Understanding Senetas layer 2 encryption Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
Understanding Senetas layer 2 encryption Introduction CN encryption devices are purpose built hardware appliances that have been developed in Australia by Senetas Corporation since 1997 and provide secure transport across layer 2 network services. The CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ accreditation and the FIPS140-2 level 3 certifications); and has been deployed to protect critical infrastructure in thousands of locations in more than thirty-five countries. The CN platform is optimised to secure information transmitted over a diverse range of network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data rates up to 10 Gigabits per second (Gbps). The CN series latency and overhead are lower than competing solutions available in the marketplace. Encryption occurs at the data link layer (layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at layer 2 solves many of the underlying problems of traditional layer 3 encryption such as complexity, performance and support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection the devices offer the most secure, resilient and highest performance method of securing sensitive voice, video or data. This remainder of this document focuses on the CN series Ethernet encryptor to describe the layer 2 approach to securing information. Product architecture The CN encryptor is an inline device that is located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors can be added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. __________________________________________________________________________________ Page 1
Understanding Senetas layer 2 encryption Figure 1 – Ethernet Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-point, hub and spoke or fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypass core switch operation or maintenance frames) with policy resolution down to the ethertype level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). __________________________________________________________________________________ Page 2
Understanding Senetas layer 2 encryption In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: • Automatic discovery of multicast/VLAN encryption groups • Automatic ageing/deletion of inactive groups • Secure distribution and updates of keys to all members of multicast groups • New members to securely join or leave the group at any time • Fault tolerance to network outages and topology changes Encrypted Header Decryption Decrypted Header Payload Payload Network Local Header Encrypted Encryption Header Decrypted Port Port Payload Payload Interface Interface Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using a cut-through encryption architecture; this has the benefit that only a portion of the frame needs to be received before encryption and re- transmission of the frame can begin. This approach ensures consistently low latency (in the order of 7uS for a 1Gbps Ethernet encryptor) independent of frame size. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. __________________________________________________________________________________ Page 3
Understanding Senetas layer 2 encryption Figure 3 - Internal Architecture __________________________________________________________________________________ Page 4
Understanding Senetas layer 2 encryption An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ethertype (0xFC0F). Compatibility The CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: all Ethernet frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. Tamper Protection The CN series is provided in a tamper proof 19” steel case suitable for rack mounting. __________________________________________________________________________________ Page 5
Understanding Senetas layer 2 encryption Figure 4 - CN3000 Rear View Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Management Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to the encryptor. The user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CypherManager. The encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. __________________________________________________________________________________ Page 6
Understanding Senetas layer 2 encryption Figure 5 - CypherManager CypherManager (CM) is a Senetas developed tool that functions as a device manager and that can also act as a root Certificate Authority for a network of encryptors. CypherManager provides private, authenticated access to encryptors to enable secure remote management. CypherManager is also used to remotely upgrade firmware in encryptors over the network when available. __________________________________________________________________________________ Page 7

Recomendados

3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introductionSaurabh Verma
 
Diameter based Interfaces and description
Diameter based Interfaces and descriptionDiameter based Interfaces and description
Diameter based Interfaces and descriptionManjeet Kaur
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Gsm presentation shaikot
Gsm presentation shaikotGsm presentation shaikot
Gsm presentation shaikotsivakumar D
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking Mehul Jariwala
 
205583569 gb-interface-detailed-planning-final
205583569 gb-interface-detailed-planning-final205583569 gb-interface-detailed-planning-final
205583569 gb-interface-detailed-planning-finalOlivier Rostaing
 
MSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfMSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfssuseraab3a8
 
End-to-End QoS in LTE
End-to-End QoS in LTEEnd-to-End QoS in LTE
End-to-End QoS in LTERadisys Corporation
 

Recomendados

3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introductionSaurabh Verma
 
Diameter based Interfaces and description
Diameter based Interfaces and descriptionDiameter based Interfaces and description
Diameter based Interfaces and descriptionManjeet Kaur
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Gsm presentation shaikot
Gsm presentation shaikotGsm presentation shaikot
Gsm presentation shaikotsivakumar D
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking Mehul Jariwala
 
205583569 gb-interface-detailed-planning-final
205583569 gb-interface-detailed-planning-final205583569 gb-interface-detailed-planning-final
205583569 gb-interface-detailed-planning-finalOlivier Rostaing
 
MSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfMSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfssuseraab3a8
 
End-to-End QoS in LTE
End-to-End QoS in LTEEnd-to-End QoS in LTE
End-to-End QoS in LTERadisys Corporation
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basicsKarel Berkovec
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call dropMuffat Itoro
 
sigtran
sigtransigtran
sigtrankrsgowri
 
Le réseau IMS
Le réseau IMSLe réseau IMS
Le réseau IMSTahraoui Samir
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedurestharinduwije
 
01 09 tmsi reallocation
01 09 tmsi reallocation01 09 tmsi reallocation
01 09 tmsi reallocationEricsson Saudi
 
Umts call-flows
Umts call-flowsUmts call-flows
Umts call-flowssivakumar D
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure3G4G
 
Le Réseau GSM
Le Réseau GSMLe Réseau GSM
Le Réseau GSMTahraoui Samir
 
Cs c n overview
Cs c n overviewCs c n overview
Cs c n overviewKURNIAWAN ARISANDY
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
Basic of teleom gsm
Basic of teleom gsmBasic of teleom gsm
Basic of teleom gsmKartik Kalpande Patil
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flowAlfred Ongere
 
Gsm
GsmGsm
GsmOscar Bonjovi
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)Hamidreza Bolhasani
 
Srvcc overview
Srvcc overviewSrvcc overview
Srvcc overviewYau Boon
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 
Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Eugene Sushchenko
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationRishabh Dangwal
 

Mais conteúdo relacionado

Mais procurados

Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call dropMuffat Itoro
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedurestharinduwije
 
01 09 tmsi reallocation
01 09 tmsi reallocation01 09 tmsi reallocation
01 09 tmsi reallocationEricsson Saudi
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure3G4G
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)Hamidreza Bolhasani
 
Srvcc overview
Srvcc overviewSrvcc overview
Srvcc overviewYau Boon
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 

Mais procurados (20)

Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call drop
 
sigtran
sigtransigtran
sigtran
 
Le réseau IMS
Le réseau IMSLe réseau IMS
Le réseau IMS
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedures
 
01 09 tmsi reallocation
01 09 tmsi reallocation01 09 tmsi reallocation
01 09 tmsi reallocation
 
Umts call-flows
Umts call-flowsUmts call-flows
Umts call-flows
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
 
Le Réseau GSM
Le Réseau GSMLe Réseau GSM
Le Réseau GSM
 
Cs c n overview
Cs c n overviewCs c n overview
Cs c n overview
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
 
Basic of teleom gsm
Basic of teleom gsmBasic of teleom gsm
Basic of teleom gsm
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flow
 
Gsm
GsmGsm
Gsm
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)
 
Srvcc overview
Srvcc overviewSrvcc overview
Srvcc overview
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case study
 

Destaque

Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Eugene Sushchenko
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationRishabh Dangwal
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™ADVA
 
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching BenefitsOFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching BenefitsInfinera
 
Introduction to Optical Backbone Networks
Introduction to Optical Backbone NetworksIntroduction to Optical Backbone Networks
Introduction to Optical Backbone NetworksAnuradha Udunuwara
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsADVA
 
dwdm
dwdm dwdm
dwdmg d
 
DWDM Presentation
DWDM PresentationDWDM Presentation
DWDM Presentationayodejieasy
 
OTN for Beginners
OTN for BeginnersOTN for Beginners
OTN for BeginnersMapYourTech
 

Destaque (15)

Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5Datacryptor Ethernet Layer 2 Rel 4.5
Datacryptor Ethernet Layer 2 Rel 4.5
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigation
 
Transport Solutions
Transport SolutionsTransport Solutions
Transport Solutions
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™
 
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching BenefitsOFC 2014: Impact of Traffic and Network on OTN Switching Benefits
OFC 2014: Impact of Traffic and Network on OTN Switching Benefits
 
Guide otn ang
Guide otn angGuide otn ang
Guide otn ang
 
Next Generation OTN
Next Generation OTNNext Generation OTN
Next Generation OTN
 
Introduction to Optical Backbone Networks
Introduction to Optical Backbone NetworksIntroduction to Optical Backbone Networks
Introduction to Optical Backbone Networks
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
 
Optical Transport Network
Optical Transport NetworkOptical Transport Network
Optical Transport Network
 
dwdm
dwdm dwdm
dwdm
 
WDM Basics
WDM BasicsWDM Basics
WDM Basics
 
DWDM Presentation
DWDM PresentationDWDM Presentation
DWDM Presentation
 
WDM principles
WDM principlesWDM principles
WDM principles
 
OTN for Beginners
OTN for BeginnersOTN for Beginners
OTN for Beginners
 

Semelhante a Understanding senetas layer 2 encryption

Sen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmissionSen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmissionSenetas
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd Iaetsd
 
Effective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor NetworksEffective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor NetworksvishnuRajan20
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase
 
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEEMEMTECHSTUDENTPROJECTS
 
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...IEEEFINALSEMSTUDENTSPROJECTS
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET Journal
 
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...chennaijp
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestSandeep Patil
 
Data center & wireless lan
Data center & wireless lanData center & wireless lan
Data center & wireless lanjency j
 
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...chennaijp
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answersccna4discovery
 
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...IRJET Journal
 
Megaplex nerc-cip-compliance
Megaplex nerc-cip-complianceMegaplex nerc-cip-compliance
Megaplex nerc-cip-complianceNir Cohen
 

Semelhante a Understanding senetas layer 2 encryption (20)

Sen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmissionSen 214 simple secure multicast transmission
Sen 214 simple secure multicast transmission
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential Mode
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure data
 
Effective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor NetworksEffective Key Management in Dynamic Wireless Sensor Networks
Effective Key Management in Dynamic Wireless Sensor Networks
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
World Connect Training
World Connect TrainingWorld Connect Training
World Connect Training
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server Brochure
 
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...
 
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
2014 IEEE DOTNET NETWORKING PROJECT Secure data-retrieval-for-decentralized-d...
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
 
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
JPD1422 Secure Data Retrieval for Decentralized Disruption-Tolerant Military...
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
 
Allied Telesis IE510-28GSX
Allied Telesis IE510-28GSXAllied Telesis IE510-28GSX
Allied Telesis IE510-28GSX
 
Data center & wireless lan
Data center & wireless lanData center & wireless lan
Data center & wireless lan
 
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
JPJ1435 Secure Data Retrieval For Decentralized Disruption-Tolerant Militar...
 
TAM new report
TAM new reportTAM new report
TAM new report
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answers
 
V P N
V P NV P N
V P N
 
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
 
Megaplex nerc-cip-compliance
Megaplex nerc-cip-complianceMegaplex nerc-cip-compliance
Megaplex nerc-cip-compliance
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Understanding senetas layer 2 encryption

  • 1. Fact Sheet SEN-112 Understanding Senetas layer 2 encryption Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
  • 2. Understanding Senetas layer 2 encryption Introduction CN encryption devices are purpose built hardware appliances that have been developed in Australia by Senetas Corporation since 1997 and provide secure transport across layer 2 network services. The CN product range is mature; Federal government endorsed (it has achieved both the Common Criteria EAL4+ accreditation and the FIPS140-2 level 3 certifications); and has been deployed to protect critical infrastructure in thousands of locations in more than thirty-five countries. The CN platform is optimised to secure information transmitted over a diverse range of network protocols including: Ethernet, Synchronous Optical Network (SONET) and Fibre Channel networks at data rates up to 10 Gigabits per second (Gbps). The CN series latency and overhead are lower than competing solutions available in the marketplace. Encryption occurs at the data link layer (layer 2); the payload of the received network traffic is scrambled and the protocol header is left in the clear so that it can be switched through the network as intended. Encryption at layer 2 solves many of the underlying problems of traditional layer 3 encryption such as complexity, performance and support for multiple traffic types. CN encryptors are fully autonomous and operate independently in point to point or large meshed environments with no reliance on external servers. Supporting fully automatic key management with unique encryption keys per connection the devices offer the most secure, resilient and highest performance method of securing sensitive voice, video or data. This remainder of this document focuses on the CN series Ethernet encryptor to describe the layer 2 approach to securing information. Product architecture The CN encryptor is an inline device that is located on the edge of a network between a local private network, and a remote public network. CN encryptors provide access control, authentication and confidentiality of transmitted information between secured sites. The encryptors can be added to an existing network providing complete transparency to the end user and network equipment. An example installation is shown in Figure 1. __________________________________________________________________________________ Page 1
  • 3. Understanding Senetas layer 2 encryption Figure 1 – Ethernet Mesh Deployment The encryptor receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. The frame processing policy is highly configurable and supports operation in point-point, hub and spoke or fully meshed environments. In a meshed environment each encryptor supports over 500 concurrent connections to peer devices with per connection policy tied to either remote MAC address or to VLAN ID. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration Selective policy control allows mixed traffic profiles which permits specified traffic types to be bypassed or discarded through the device (for example, bypass core switch operation or maintenance frames) with policy resolution down to the ethertype level. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. Multicast traffic and VLANs Multicast encryption is used to encrypt traffic that is sent from a host to all members of a multicast group and operates at layer 2 with no requirement to modify core switch operation. Policy is tied to a multicast MAC address. VLAN encryption is used to encrypt all members of a VLAN community and to provide cryptographic separation between VLANs. Policy is tied to the VLAN identifier(s). __________________________________________________________________________________ Page 2
  • 4. Understanding Senetas layer 2 encryption In both cases a group key encryption scheme is used to ensure that encrypted data from a single sender can be successfully received and decrypted by all members of the VLAN or multicast community. Group key encryption uses the AES CTR encryption mode. The Senetas group key management scheme is responsible for ensuring group keys are maintained across the visible network and is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. Using an elected key master from within the group allows: • Automatic discovery of multicast/VLAN encryption groups • Automatic ageing/deletion of inactive groups • Secure distribution and updates of keys to all members of multicast groups • New members to securely join or leave the group at any time • Fault tolerance to network outages and topology changes Encrypted Header Decryption Decrypted Header Payload Payload Network Local Header Encrypted Encryption Header Decrypted Port Port Payload Payload Interface Interface Control & Management Figure 2 - Data flow through the Encryptor Performance Encryption is implemented in dedicated silicon using a cut-through encryption architecture; this has the benefit that only a portion of the frame needs to be received before encryption and re- transmission of the frame can begin. This approach ensures consistently low latency (in the order of 7uS for a 1Gbps Ethernet encryptor) independent of frame size. In Cipher Feedback Mode (CFB) encrypted frames are the same size as plaintext frames and no packet expansion is performed. In Counter mode (CTR) an 8 byte shim is appended to encrypted frames to ensure counter values are synchronised at both ends. The encryptors are capable of full duplex, full line rate operation independent of packet size or higher layer protocol. __________________________________________________________________________________ Page 3
  • 5. Understanding Senetas layer 2 encryption Figure 3 - Internal Architecture __________________________________________________________________________________ Page 4
  • 6. Understanding Senetas layer 2 encryption An encryptor will also generate a very small amount of traffic between devices for key updates and management purposes. To distinguish it from other network frames this traffic is sent using the Senetas registered ethertype (0xFC0F). Compatibility The CN encryptors have proven interoperability with Ethernet switches from all the well known vendors and provide transparent support for: all Ethernet frame formats MPLS shims (multiple nested) VLAN tags (multiple nested) 802.1P class of service priority Key Management The encryption algorithm used is AES in cipher feedback mode (CFB) or counter mode (CTR) with a key size of 256 bits. Encryption keys are derived internally to FIPS standards from true hardware random number generators. Public key cryptography and X.509 certificates are used to provide a fully automated key management system. Master (key encrypting) keys are transferred between encryptors using authenticated RSA public key cryptography. Session (data encrypting) keys are transferred periodically between encryptors using master keys. Any combination of encrypted or unencrypted virtual circuits can be configured up to a maximum of 509 active connections for a standard Ethernet frame format. Interoperability with 3rd party Certificate Authorities and OCSP/CRL servers is permitted and a full CA capability is also provided in the companion management tool CypherManager. Tamper Protection The CN series is provided in a tamper proof 19” steel case suitable for rack mounting. __________________________________________________________________________________ Page 5
  • 7. Understanding Senetas layer 2 encryption Figure 4 - CN3000 Rear View Physical security is ensured by an active tamper protection mechanism that operates in the presence or absence of power. The tamper detection mechanism is triggered if an attempt is made to remove the interface card or remove the lid of the enclosure. A tampered encryptor will actively delete all sensitive material such as encryption keys and user passwords and will revert to a known factory default configuration. Holographic tamper evident seals are used to provide visibility of tampered units. Management Role based management access is used for both local (RS232 CLI) and remote (SNMPv3) management. All users must be authenticated before being granted access to the encryptor. The user role model has three privilege levels: Administrator, Supervisor and Operator and up to thirty different accounts are supported. The encryptor logs all configuration changes to a non-volatile audit log and also records all events to a non-volatile event log. Any alarm conditions are reported in the logs and in the alarm table, they are also indicated on the front panel LEDs and may optionally trigger SNMP trap messages that can be sent to 8 independent trap handlers (e.g. OpenView, NetView) as well as being received by CypherManager. The encryptor can be managed securely and remotely using SNMPv3 via a dedicated management port on the front panel, this being referred to as out-of-band management. Remote management can also be enabled over the encrypted network itself so that the encryptor is managed over the network interface port; this is called in-band management. __________________________________________________________________________________ Page 6
  • 8. Understanding Senetas layer 2 encryption Figure 5 - CypherManager CypherManager (CM) is a Senetas developed tool that functions as a device manager and that can also act as a root Certificate Authority for a network of encryptors. CypherManager provides private, authenticated access to encryptors to enable secure remote management. CypherManager is also used to remotely upgrade firmware in encryptors over the network when available. __________________________________________________________________________________ Page 7