senetas certified high-assurance network data encryption · commonly chosen for encryption. the...

Cloud Expo Asia Senetas Encryption Guide

SENETAS CERTIFIEDHIGH-ASSURANCENETWORK DATA ENCRYPTION

The Cloud Expo Asia 2016 guide to robust encryption security for trusted Cloud and data centre network infrastructure


Senetas certified high-assurance encryptors for Layer 2 Carrier, metro and wide area Ethernet networks. Maximum encryption security for Cloud, Big Data and data centre services. Secure data-in-motion without compromising network performance.Recognised as leading certified hardware encryption solutions, Senetas encryptors are used by governments; market leading enterprises; defence and military; law enforcement and national regulatory agencies; banks and financial institutions; global Cloud and data centre service providers; telecommunications carriers and a broad range of commercial and industrial organisations in more than 30 countries.

BEST PERFORMANCE – TRUSTED ASSURANCE – SET AND FORGET Our customers include the most secure organisations and global market leaders transmitting sensitive information across a wide range of Layer 2 data network topologies – from complex global multi-point meshed networks to simple point-to-point branch location networks.

Senetas certified highassurance Layer 2 encryptors provide robust security AND maximum network performance. Whether your needs are modest or complex; Senetas small form-factor and rack mounted encryptors ensure maximum data protection need not come at the heavy cost of reduced network and application performance.

Senetas encryptors enable maximum performance through designed-in near-zero latency and overheads! They are as simple to manage as “set and forget”!

NETWORK BREACHES - INCREASING RISKS TO DATA-IN-MOTION High-speed Layer 2 data networks are reported by respected global data security analysts and business and IT strategy advisors to be THE rapidly growing soft target for cyber-criminals. Serious network breaches include:

> Theft of intellectual property

> Data “sniffing” and eavesdropping

> Privacy breaches

> Redirection of data

> Cyber-attacks and damage to data integrity

> Human and systems errors and hardware failures and incorrect network configuration

> Injection of damaging rogue data

DEMAND FOR HIGH-SPEED DATA NETWORKS The exponential growth in demand for high-speed Layer 2 data networks and links is driven by business improvement enabling technologies. The adoption of these technologies and the services and applications they enable, expose all users and organisations to increased risks of network breaches.

Senetas high-assurance encryptors provide maximum data protection and network performance for business improvement technologies using Layer 2 network links for:

> Cloud computing

> Data centres

> Big Data

> Industrial and national infrastructure SCADA control systems

> CCTV

> Multicast networks

> Branch office and remote location networks

RISKS OF CATASTROPHIC BRAND AND REPUTATION DAMAGE Data networks delivering services to commercial, industrial, government and not-for-profit sectors, transmit large data volumes making even small network breaches potentially catastrophic:

> Financial loss

> Theft of intellectual property (IP)

> Breach of privacy AND penalties for regulatory breaches

> Damage to data integrity and business disruption

> Damage to brand integrity and loss of trust and reputation

> Damage to critical infrastructure and assets


The best data protection against the increasing risks of network breaches is certified high-assurance encryption.

WHY ENCRYPT NETWORK TRANSMITTED DATA?Increasing data network breaches and attacks on transmitted data highlight the importance of protecting the data itself.

Certified, defence-grade encryption is the ultimate data protection. Cloud, data centre, big data and other technologies using high-speed Layer 2 links need the best data protection as well as maximum network performance.

The need to protect organisations’ sensitive information within their systems is clear. But, the need to protect transmitted data has not been so obvious. Leading data security organisations highlight that many organisations do not sufficiently protect transmitted data once outside their direct control. Do you really know what happens to your data while it is transmitted to another location? From the moment your data is transmitted, you no longer control it. Transmitted data is easily and cheaply ‘tapped’, tampered with and redirected by cyber-criminals.

In its 2012 Global Data Security Report, awarded information security experts – Trustwave – noted that 62.5% of data theft occurred while in transit. It also pointed to increasing cyber-criminal focus on data-inmotion. Furthermore, data travelling through networks is not just exposed to risks of cyberattack; there are also genuine risks of transmission to wrong locations.

Human error and technical equipment failings are real risks that can manifest more often than you would think. The common issue that organisations face is a breach of data privacy and/or integrity as well as criminal damage such as the loss of valuable intellectual property, whatever the original cause.

However, these risks can be eliminated - and security assured - by automatically encrypting the data while it’s in motion. Your transmitted data – commercial, government or industrial – data, voice, video, or all three – should be encrypted to protect your organisation and its stakeholders, particularly because it leaves your direct control.

Importantly, data security advisors highlight that almost all data transmitted across high-speed networks should be encrypted. They argue that in large volumes, even low value data, when aggregated, can be useful to cyber-criminals and any network breach has potential to be harmful to reputations and stakeholders’ trust. In the past, data encryption came at a huge cost of network performance due to latency overheads. Senetas then developed near-zero latency encryptors with no impact on network assets – maximum network performance and data protection.

Two serious network breach issues have been identified by data security analysts – the seemingly harmless breach today may be very harmful in the future; and that most breaches remain undetected in the long-term.

Manufacturer, Codan Ltd., only became aware of an earlier network breach when it discovered the theft of its products’ intellectual property, which had led to a massive decline in market share due to counterfeiting reported to it by its dealers. It’s often assumed that data networks are safe. The reality is they are not. Cyber-attacks, human error and equipment failings are all hazards that can lead to sensitive data getting into unauthorised hands.

Ultimately, it’s the encryption of data that provides genuine assurance that the encrypted data is useless to unauthorised parties – the last line of defence. The optimal solution is not the protection of the data network; it’s the protection of the data itself. By encrypting the data, you can be assured that however accessed by an unauthorised party, it is protected by that last line of defence. This is why governments and defence forces around the world have encrypted information for hundreds of years.for hundreds of years.

The most commonly used networks to transmit information are known as Layer 3; but, when encrypting Layer 3 networks, there is a significant performance cost of up to 50%. On the other hand, Layer 2 networks do not suffer the same lost performance. Layer 2 networks are optimally used when robust encryption, data volumes, network performance, cost efficiencies and application requirements are important.

Senetas’s recently released CN6010 – carrier-grade AND cost-effective certified high-speed encryptor.


TAPPING FIBRE – EASIER AND MORE WIDESPREAD THAN YOU THINKAccording to gartner, tapping fibre optic cable without detection is not only possible, but has been taking place for most of the last decade. This view is shared by US security firm, the Sans Institute which stated: “It is alarming that thereappear to be many organisations out there who are not aware of, and do not agree on, the ever increasing ease at which fibre optic cables can be attacked.”

So, how is it done? The technology that allows for fibre optic cable to be tapped, and for data to either be removed or added without breaking the connection, not only exists but is readily available. Fibre-clamping devices are available over the internet, legally, for as little as US$400.

The simple clamp bends the individual fibre, allowing some of the light to escape. This is sufficient to either extract the information travelling down the cable or to inject additional information. With high-speed networks handling up to 100 Gbps, it wouldn’t take long to extract a significant amount of data. So, because you can’t prevent or detect fibre tapping, how do you protect your data in transit?

ENCRYPTION – THE LAST LINE OF DEFENCEThe simplest and best approach is to provide protection that stays with the data, wherever it is being sent. Encryption does exactly that. Most organisations and executives have heard of encryption, but what exactly is it, what options are there and why is one solution better than another? At first glance, encryption seems an easy choice. After all, why expose sensitive or private information to prying eyes when you can protect it by encrypting it?

“The risks to your data transmitted across high-speed networks are increasing!” MCKINSEY & COMPANY - DATA IN TRANSIT IS THE NEW SOFT TARGET!

This makes logical sense, because encryption ensures that when data falls into unauthorised hands, it is unintelligible and therefore rendered useless to a hacker, criminal or any innocent party who may have received the data in error. It’s not a matter of if there will be a breach, but when! WHERE TO ENCRYPT

Generally the model for networks is comprised of seven layers as shown in the diagram below. Layer 1 is the physical layer, comprised of the basic hardware elements of a network (cables, connectors etc.) Layer 2 is the data link layer, responsible for the transfer of data between devices on a network (Ethernet and fibre optic cable, for example). Layer 3 is the network layer, responsible for packet forwarding (such as IP – the internet protocol). Beyond that, we’re looking at layers, which identify the software applications and the types of traffic flowing across the network.

If your data is travels through a geographically diverse public or private network, it is not secure – this is as true for optic fibre networks as it is for other types of wired or wireless network. Therefore, the question isn’t whether or not encryption should be used; rather which approach to encryption offers the most secure and efficient solution.

Presentation Data

Session Data

Transport Data

Network Pockets

Data Link Frames

Physical Bits

Application Data

SSL Encryption

IPSEC Encryption

Layer 2 Encryption

Consider this: Would anyone ever email or post unencrypted sensitive data? Would anyone ever leave unencrypted sensitive data on a laptop? So, why would anyone ever transmit unencrypted data across a network?


“Businesses are happy to take risks and underestimate or under-invest [in data security]” Some companies will need to consider trusted hardware “to keep their most valuable secrets away from Internet-exposed networks...” ISACA - INFORMATION SYSTEMS AUDIT & CONTROL REPORT OFTEN OVERLOOKED BUSINESS AND TECHNICAL BENEFITSWhen choosing a high-speed data network and a data security solution, the choice of the network type (layer) should be considered together with the data security solution - ensuring the optimal data protection and network performance. The data network (layer) options available to encrypt data are: > End-to-end encryption within applications

> SSL, Layer 4 encryption

> IPSec Standard, Layer 3 encryption

> Layer 2 encryption

Generally the lower the layer, the more comprehensive the encryption and the more efficient the process. Layer 2 and Layer 3 are most commonly chosen for encryption. The next and important challenge lies in maintaining the network performance and simplicity of high-speed network data transmission whilst assuring the security and privacy of network traffic - voice, data or video.

Maintaining consistent network performance – bandwidth and speed – is important for two key reasons. The cost of bandwidth and speed is significant and therefore any reduction in performance comes at a cost. Secondly, business application performance and productivity are dependent upon network performance. Today, Senetas makes it possible for the optimal robust encryption technology to provide maximum data protection without compromising data network performance.

This cost of lost network performance is due to the data overheads and latency imposed when encrypting at Layer 3. Senetas encryption at Layer 2 maintains maximum network performance. It does not cause any costs of bandwidth and speed, lost productivity or application performance.

That’s because Senetas encryption does not That’s because Senetas encryption does not add the data overheads and network latency that other encryption products add.

Similarly, Senetas encryption provides predictable and consistent performance, which is critical to many business-critical applications. Senetas maximum data protection, simplicity and network performance provide long-term business efficiencies. Layer 3 encryptors are designed for IPSec encryption - standard Internet encryption. IPSec uses a process that ‘tunnels’ the original IP packet in order to encrypt an IP ‘header’. These tunnels result in increased data overheads, complexity and adversely affect network performance - speed and processing.

Senetas certified high-assurance Layer 2 encryptors are optimised for Ethernet networks and don’t need to tunnel the original IP packets in order to encrypt. This results in a significantly more efficient process – up to 50% better network traffic speed and performance.

Naturally, organisations are always looking for an edge in network speed and performance. They minimise network costs and maximise business productivity whilst retaining optimal levels of data protection. Consequently, the adoption of Layer 2 networks and encrypting at Layer 2 are increasing around the world. At the same time, Layer 2 networks have become more accessible and at a lower cost. In summary, when compared to encryption at higher layers, such as Layer 3, Senetas Layer 2 encryption provides a number of important business advantages:

> No impact on network performance

> Near-zero data overheads

> Reduced management complexity

> Transparent to media types (voice, data, video etc.)

> Little or no configuration required

> Operates at wire speed up to 10Gbps

Ultimately, if the data transmitted across your networks qualifies as being sensitive in any way, it should be encrypted. Only Senetas defence-grade encryption provides the optimal assurance of data protection – data privacy, security and integrity. The business case to encrypt using Layer 2 networks is compelling - lower cost per gigabyte, lowest management overhead costs and best network and application performance.


Senetas CN6010 – rack mounted certified high-assurance encryptor - versatile AND cost-effective.

CERTIFICATIONS - YOUR ASSURANCE AND SENETAS’ COMMITMENTSenetas encryptors are preferred by the world’s most secure organisations – government, defence and financial transactions. Only Senetas encryptors include all four leading international certifications.

Senetas customers are assured of our encryptors’ world-leading performance by the certifications provided by the leading independent international testing authorities. These certifications involve years of rigorous testing by the testing authorities’ own labs. They are certified as “suitable for government and defence use”. Products without these certifications are unable to be installed in the respective government data networks.

Senetas all-Australian developed and manufactured defence-grade encryptors provide our customers the best assurance that their transmitted data is protected according the rigorous defence-grade standards required and that they perform as specified.

Despite our encryptors’ certification/s, some government, defence and commercial customers have also undertaken their own “proof of concept” and even benchmarking testing. In every case, Senetas encryptors have excelled. Senetas customers also benefit from “triple assurance” because our encryptors include the only products of their type in the world to be certified by all three leading authorities, rather than just one. Our customers are also assured maximum network performance. Senetas product certifications are:

> Federal Information Processing Standard (FIPS) - United States

> Common Criteria (International and Australia)

> NATO (all 28 member states)

> CESG Assisted Products Service (CAPS) – UK

To provide their stakeholders with a preferred level of performance assurance, many commercial organisations have followed government certification requirements. They insist that products used to protect their sensitive data hold one or more of these independent testing authority certifications.

ENCRYPTION WITHOUT COMPROMISEWhether protecting data transmitted across Layer 2 network links for Cloud computing, remote data centre services, information-rich Big Data (multicast), CCTV traffic or, infrastructure infrastructure and industrial process and control systems; independent testing authorities’ certifications are valuable security and performance assurance. That is why Senetas has always been 100% committed to testing authorities’ certifications.

Our encryptors lead in features and benefits; combined with Senetas’s long-term commitment to independent testing authority certifications and continuing research and development (R&D); provide organisations and their stakeholders with peace of mind.

Ultimately, our customers are assured that should their networks be successfully breached, the data will be useless to unauthorised parties.

Importantly, organisations providing services to the government and defence sectors – such as Cloud computing and/or data centre storage services – will meet certification requirements of their government customers when using certified Senetas products. That’s why Senetas encryptors secure much of the world’s most sensitive data!

Not all encryption solutions are the same. Reports of growing data network evesdropping and successful network breaches prove the value of certified high-assurance encryption.

SUGGESTED FURTHER READING Senetas High-Assurance Certifications. http://www.senetas.com/technical-papers/


What makes Senetasencryptors stand out?Security withoutcompromise!

HIGH-SPEEDThe “designed-in” leading performance capabilities make Senetas encryptors stand out. Whether 10Mbps, 100Mbps, 1Gbps or 10Gbps, they win competitive performance tests. Their encryption speeds; near-zero data overhead; near-zero latency; and their consistent performance make Senetas encryptors ideally suited to the most demanding environments. They are the first choice of many of the world’s most secure organisations.

NEAR-ZERO LATENCYSenetas ‘high-assurance’ encryptors operate in full-duplex mode at full line speed without loss of packets. Latency is not affected by packet size (approx. >4 microseconds per unit at 10Gbps) meaning maximum throughput with near-zero protocol overhead. Importantly, by using Field Programmable Gate Array (FPGA) technology, this outstanding latency performance is predictable and dependable.

MULTI-CERTIFIEDBecause Senetas encryptors are multi-certified, they are trusted by governments and defence forces around the world. This exhaustive and rigorous testing over many years provides our government and commercial customers with maximum assurance. Senetas encryptors are certified by: FIPS, NATO, CAPS and Common Criteria.

RELIABILITYSenetas encryptors are dependable. They are designed, developed and manufactured in Australia to exacting standards. In addition to their maximum security, they provide reliable 99.999% uptime and conform to international requirements for safety and environment.

COMPREHENSIVE RANGEThe Senetas ‘high-assurance’ CN series of Layer 2 encryptors provides the widest feature-set able to operate at 10Mbps to 10Gbps and support Ethernet, Fibre Channel; SONET/ SDH and LINK protocols. This extensive range provides cost effective network-wide data protection.

SIMPLICITY“Set and forget” and transparency are underlying Senetas design themes. They help ensure simple and low cost implementation, operation and management. That simplicity continues with an intuitive user interface providing meaningful descriptive diagnostics – such as early warnings and simple fault-finding. They just do their job – with minimal resource requirements.

EASY TO INSTALL‘The ‘Bump in the Wire’ design of Senetas encryptors makes them easy to install. Simply place the encryptor at the access point to the Layer 2 network and all data passing through the unit is encrypted using the AES 256 bit encryption algorithm and Senetas state-of-the-art encryption key management.

ALL TOPOLOGIESSenetas encryptors operate in multi-point to multi-point (mesh); single-point to multi-point and single-point to single-point network topologies. Whether the network topology is simple or very complex the same Senetas encryptor benefits apply.

Senetas certified high-assurance encryptors’ leading performance is not limited to their maximum data protection without loss of network performance.

MAXIMUM PERFORMANCE ‘TRUSTED ‘HIGH-ASSURANCE’ SET & FORGET SIMPLICITY


What makes Senetasencryptors stand out?Security withoutcompromise!

ZERO IMPACTThe zero impact of Senetas encryptors is not limited to network bandwidth and speed (latency). It extends to network operations and management. They simply “fit in” within the user network. They don’t require changes to other devices or network reorganisation. Zero impact makes Senetas encryptors a favourite among network engineers - they don’t add load to network operations or management.

FLEXIBILITYSenetas encryptors’ use of FPGAtechnology enables maximumoperational flexibility. They bettermeet customers’ specific andunique requirements andprovide an optimised high-speeddata encryption solution. Thismultipurpose flexibility enableson-going operational simplicity,such as infield upgradability, ascustomers’ requirements change– protecting their investment.

COST EFFECTIVESenetas encryptors provideexcellent total cost of ownershipthrough a mix of: networkbandwidth savings; ease ofLayer 2 network management;longevity; reliability;interoperability; backwardcompatibility; minimal installationand management costs; solutionflexibility and low power use.

Other cost benefits amongvarious Senetas encryptorsinclude: low power consumption;minimal rack space use;combined rack space/powerutilisation efficiency; and dualpower supply.

CUSTOM ALGORITHMSIn addition to the AES 256 bitalgorithm, Senetas encryptorsmay be implemented withcustomised, customer requestedalgorithms.Selected Senetas encryptorsalso support QuantumKey Distribution(Quantum Cryptography).

INTEROPERABILITYSenetas encryptors that supportthe same protocol are fullyinteroperable. All Senetas CNmodels are backwardcompatible.

LOCAL OR CENTRALISEDMANAGEMENTConfiguration can be performed locally or remotely through the intuitive Senetas CM7 management software, which acts as the Certificate Authority in a network of encryptors by signing and distributing X.509 certificates.

SOLUTION INTEGRITYSenetas provides maximum solution integrity – the highest data protection return – and the lowest network impact and overhead.

Senetas certified high-assurance encryptors’ leading performance is not limited to their maximum data protection without loss of network performance.

MAXIMUM PERFORMANCE ‘TRUSTED ‘HIGH-ASSURANCE’ SET & FORGET SIMPLICITY


Data network topologiesPOINT-TO-POINT LINKSSenetas encryptors support the following data network topologies and data speeds from 10mbps to 10gbps. Point-to-point connections Senetas encryptors protect data transmitted between network links at two sites via a fibre link or a managed ethernet connection. This direct transmission of encrypted data between the two locations is a point-to-point solution.

Carrier’s Layer 2 WAN

LAN Ethernet Encryptor

Ethernet Encryptor

LAN

POINT-TO-MULTIPOINT CONNECTIONSIn the case of multiple locations such as branch offices connected to a single central head office site; the point-to-multipoint connections may be used. The branch locations may exchange data with the head office and optionally among each other. The access speed and the encryption for each site may vary and be chosen among 10Mbps, 100Mbps, 1Gbps or 10Gbps.


LAN Ethernet Encryptor

Ethernet Encryptor LAN




MULTI-POINT CONNECTIONSIf there many sites that communicate freely amongst each other, this is referred to as a multi-point or mesh environment. Hence a full multi-point solution may be optimal. Such a full multi-point solution looks similar to a large distributed LAN where all encryptors see each other at Layer 2. Similar to the point-to-point and point-to-multipoint connections, Senetas encryption does not have any impact on the network functionality nor other network assets, thus allowing all services including multicast and broadcast applications to continue to operate unaffected.

Ethernet Encryptor

LAN


Ethernet Encryptor

LAN

Ethernet Encryptor

LAN

Ethernet Encryptor

Ethernet Encryptor

LAN

LAN

Ethernet Encryptor

LAN

DATA STORAGE INTERCONNECTIONSenetas encryptors also support the encryption of data transmitted between and among multiple data storage networks. The combination of the SONET/SDH encryptors and TDM multiplexors allows the encryption of data transmitted across links between and among multiple data centres.

Multiplexor

LAN LAN

Multiplexor

SAN

10 Gbps Encryptor

10 Gbps Encryptor

SAN


MODEL CN6010 CN6040 CN6100

PROTOCOL SUPPORTED ETHERNET FIBRE CHANNEL ETHERNET ETHERNET

PROTOCOL AND CONNECTIVITY:Ethernet point-point, hub & spoke, mesh full-duplex encryption

✓ - ✓ ✓

Fibre Channel point-point encryption - ✓ - -

Physical Encryption Channels 1 1 1 1Maximum Speed 1 Gbps 1-4 Gbps 1 Gbps 10 GbpsSupport for Jumbo frames ✓ ✓ ✓Protocol and application transparent ✓ ✓ ✓ ✓

Encrypts Unicast. Multicast and Broadcast traffic ✓ - ✓ ✓

Automatic network discovery and connection establishment ✓ ✓ ✓ ✓

Network interfaces RJ45, SFP SFP RJ45, SFP XFP

SECURITY:

Tamper resistant and evident enclosure ✓ ✓ ✓ ✓

Anti-probing barriers ✓ ✓ ✓ ✓Flexible encryption policy engine ✓ ✓ ✓ ✓Robust AES encryption algorithm ✓ ✓ ✓ ✓Per packet confidentiality and integrity with AES-GCM encryption

✓ - ✓ ✓

Automatic key management ✓ ✓ ✓ ✓Traffic analysis protection (TRANSEC) ✓ - ✓ ✓

ENCRYPTION AND POLICY:

AES 128 or 256 bit keys 128/256 256 128/256 128/256Policy based on MAC address or VLAN ID ✓ - ✓ ✓

Encryption modes CFB, CTR, GCM CFB CFB, CTR, GCM CTR, GCMSelf healing key management in the event of network outages ✓ ✓ ✓ ✓

CERTIFICATIONS:

Common Criteria certified ✓ ✓ ✓ ✓

FIPS certified ✓ ✓ ✓ ✓

PERFORMANCE:

Low overhead full duplex line-rate encryption ✓ ✓ ✓ ✓

FPGA based cut-through architecture ✓ ✓ ✓ ✓

SENETAS CN6000 SERIES ENCRYPTORS AT A GLANCE

This chart illustrates the senetas range of encryptors and their key features and specifications.



PROTOCOL SUPPORTED ETHERNET FIBRE CHANNEL ETHERNET ETHERNETUltra low latency for high performance ✓ ✓ ✓ ✓

Latency (microseconds per encryptor)

< 10 @ 1 Gbps< 50 @100 Mbps <650 @ 10 Mbps

< 1< 10 @ 1 Gbps

< 50 @100 Mbps <650 @ 10 Mbps

< 10

MANAGEMENT:Centralised configuration and management using CM7 and SNMPv3

✓ ✓ ✓ ✓

SNMPv1/2 monitoring (read-only) ✓ ✓ ✓ ✓Certificate signing RSA, EC RSA, EC RSA, EC RSA, ECSupport for external (X.509v3) CAs ✓ ✓ ✓ ✓Remote management using SNMPv3 (inband and out-of band) ✓ ✓ ✓ ✓

NTP (time server) support ✓ ✓ ✓ ✓CRL and OCSP(certificate) server support ✓ ✓ ✓ ✓

MAINTAINABILITY/ INTEROPERABILITY:In-field firmware upgrades ✓ ✓ ✓ ✓Dual swappable AC and/or DC power supplies ✓ ✓ ✓ ✓

Fan cooled ✓ ✓ ✓ ✓User replaceable fans ✓ ✓ ✓ ✓Fully interoperable with related CN/CS models ✓ ✓ ✓ ✓

PHYSICAL AND INSTALLATION:Form factor 1U, rack mount 1U, rack mount 1U, rack mount 1U, rack mountPhysical dimensions (W, D, H) 435, 329, 43 mm 435, 329, 43 mm 435, 329, 43 mm 435, 329, 43 mmWeight 8.5 kg 8.5 kg 8.5 kg 8.5 kgPower source mains mains mains mainsPower input rating 100-240 VAC,

50/60 Hz, 0.6 A or 40.5-60 VDC,

1.0 A

100-240 VAC, 50/60 Hz, 1.5 A or 40.5-60 VDC,

2.0 A

100-240 VAC, 50/60 Hz, 1.5 A or 40.5-60 VDC,

2.0 A

100-240 VAC, 50/60 Hz, 1.5 A or 40.5-60 VDC,

2.0 APower consumption (Typical at highest data rate) 18 W 38 W 38 W 50 W

All interfaces accessable on single panel ✓ ✓ ✓ ✓ENVIRONMENT, REGULATORY AND SAFETY:RoHS compliant ✓ ✓ ✓ ✓Maximum operating temperature

50°C 50°C 50°C 50°C0-80% RH at

50°C0-80% RH at

50°C0-80% RH at

50°C0-80% RH at

50°CSafety standards EN 60950-1 (CE) EN 60950-1 (CE) EN 60950-1 (CE) EN 60950-1 (CE)

IEC 60950-1 IEC 60950-1 IEC 60950-1 IEC 60950-1AS/NZS 60950.1 AS/NZS 60950.1 AS/NZS 60950.1 AS/NZS 60950.1

UL listed ✓ ✓ ✓ ✓EMC (Emission and immunity) FCC 47 CFP Part

15 (USA)FCC 47 CFP Part



15 (USA)ICES-003

(Canada)ICES-003

(Canada)ICES-003

(Canada)ICES-003

(Canada)EN55022 (CE) EN55022 (CE) EN55022 (CE) EN55022 (CE)

AS/NZS CISPR 22 (RCM)




EN 61000-3-2 (CE)

EN 61000-3-2 (CE)

EN 61000-3-2 (CE)

EN 61000-3-2 (CE)

EN 61000-3-3 (CE)

EN 61000-3-3 (CE)

EN 61000-3-3 (CE)

EN 61000-3-3 (CE)

EN 55024 (CE) EN 55024 (CE) EN 55024 (CE) EN 55024 (CE)


PROTOCOL SUPPORTED ETHERNET ETHERNET FIBRE CHANNEL ETHERNET

PROTOCOL AND CONNECTIVITY:Ethernet point-point, hub & spoke, mesh full-duplex encryption

✓ ✓ - ✓

Fibre Channel point-point encryption - - ✓ -

Physical Encryption Channels 1 1 up to 10 up to 10Maximum Speed 1 Gbps 1 Gbps 1, 2, 4, 8 Gbps 10 GbpsSupport for Jumbo frames ✓ ✓ - ✓

Protocol and application trans-parent ✓ ✓ ✓ ✓

Encrypts Unicast. Multicast and Broadcast traffic ✓ ✓ - ✓

Automatic network discovery and connection establishment ✓ ✓ ✓ ✓

Network interfaces RJ45 SFP SFP, SFP+ SFP, SFP+SECURITY:Tamper resistant and evident enclosure ✓ ✓ ✓ ✓

Anti-probing barriers ✓ ✓ ✓ ✓

Flexible encryption policy engine ✓ ✓ ✓ ✓

Robust AES encryption algorithm ✓ ✓ ✓ ✓

Per packet confidentiality and integrity with AES-GCM encryption

✓ ✓ - ✓

Automatic key management ✓ ✓ ✓ ✓

Traffic analysis protection (TRANSEC) ✓ ✓ - -

ENCRYPTION AND POLICY:AES 128 or 256 bit keys 128/256 128/256 256 128/256Policy based on MAC address or VLAN ID ✓ ✓ - ✓

Encryption modes CFB, CTR, GCM CFB, CTR, GCM CFB CFB, CTR, GCMSelf healing key management in the event of network outages ✓ ✓ ✓ ✓

CERTIFICATIONS:Common Criteria certified ✓ In progress In progress In progressFIPS certified ✓ In progress - -PERFORMANCE:Low overhead full duplex line-rate encryption ✓ ✓ ✓ ✓

FPGA based cut-through architecture ✓ ✓ ✓ ✓

Ultra low latency for high performance ✓ ✓ ✓ ✓

Latency (microseconds per encryptor) < 10 @ 1 Gbps

< 50 @100 Mbps <650 @ 10 Mbps

< 10 @ 1 Gbps< 50 @100 Mbps <650 @ 10 Mbps

< 1 < 10 @ 1 Gbps< 5 @ 10 Gbps

SENETAS CN4000 & CN8000 SERIES ENCRYPTORS AT A GLANCE

MANAGEMENT:Centralised configuration and management using CM7 and SNMPv3

✓ ✓ ✓ ✓

SNMPv1/2 monitoring (read-only) ✓ ✓ ✓ ✓

Certificate signing RSA, EC RSA, EC RSA, EC RSA, EC

Support for external (X.509v3) CAs ✓ ✓ ✓ ✓

Remote management using SN-MPv3 (inband and out-of-band) ✓ ✓ ✓ ✓

NTP (time server) support ✓ ✓ ✓ ✓

CRL and OCSP(certificate) server support ✓ ✓ ✓ ✓

MAINTAINABILITY/ INTEROPERABILITY:In-field firmware upgrades ✓ ✓ ✓ ✓

Dual swappable AC and/or DC power supplies - - ✓ ✓

Fan cooled - ✓ ✓ ✓

User replaceable fans - - ✓ ✓

Fully interoperable with related CN/CS models ✓ ✓ ✓ ✓

PHYSICAL AND INSTALLATION:Form factor bench, rack

mount kitbench, rack mount kit

4U, rack mounted

4U, rack mounted

Physical dimensions (W, D, H) 180, 126, 32 mm

180, 126, 32 mm

425, 485, 175 mm

425, 485, 175 mm

Weight 500 g 500 g 24 kg 24 kg

Power source AC plug pack AC plug pack mains mains

Power input rating 9-15 VDC, 1.0 A at DC Input; 100-240 VAC, 0.7 A at Plug Pack AC Input

12 VDC, 1.0 A at DC Input;100-240 VAC, 0.7 A at Plug Pack AC Input

100-240V, 50/60Hz, 5-2 A

100-240V, 50/60Hz, 5-2 A

Power consumption (Typical at highest data rate)

6 W at DC Input; 10 W at Plug Pack AC Input

7 W at DC Input; 11 W at Plug Pack AC Input

300 W(fully loaded)

300 W(fully loaded)

All interfaces accessable on single panel ✓ ✓ ✓ ✓

ENVIRONMENT, REGULATORY AND SAFETY:

RoHS compliant ✓ ✓ ✓ ✓

Maximum operating temperature

40°C 40°C 40°C 40°C

0-80% RH at 40°C

0-80% RH at 40°C

0-80% RH at 40°C

0-80% RH at 40°C

Safety standards EN 60950-1(CE) EN 60950-1(CE) EN 60950-1(CE) EN 60950-1(CE)

IEC 60950-1 IEC 60950-1 IEC 60950-1 IEC 60950-1

AS/NZS 60950.1 AS/NZS 60950.1 AS/NZS 60950.1 AS/NZS 60950.1






UL listed ✓ ✓ ✓ ✓

EMC (Emission and immunity) FCC 47 CFP Part 15 (USA)

FCC 47 CFP Part 15 (USA)



ICES-003 (Canada)

ICES-003 (Canada)

ICES-003 (Canada)

ICES-003 (Canada)

EN55022 (CE) EN55022 (CE) EN55022 (CE) EN55022 (CE)





EN 61000-3-2 (CE)

EN 61000-3-2 (CE)

EN 61000-3-2 (CE)

EN 61000-3-2 (CE)

EN 61000-3-3 (CE)

EN 61000-3-3 (CE)

EN 61000-3-3 (CE)

EN 61000-3-3 (CE)

EN 55024 (CE) EN 55024 (CE) EN 55024 (CE) EN 55024 (CE)

SENETAS CORPORATION LIMITED

E [email protected]

GLOBAL SUPPORT AND DISTRIBUTIONSenetas CN series encryptors are supported and distributed glob-ally by Gemalto under its SafeNet encryption brand.

Gemalto also provides pre-sales technical support to hundreds of accredited partners around the world; including systems integrators, networks providers, cloud and data centre service providers, telecommunications companies and network security specialists.

For more information click here.

TALK TO SENETAS OR OUR PARTNERSSenetas and Gemalto also work with customers’ existing data network service providers, systems integrators and information security specialists to specify the optimal high-assurance encryption solution for their needs.

Wherever you are, simply contact Gemalto or Senetas to discuss your needs. Or, if you prefer, your service provider may contact Gemalto or Senetas on your behalf.

HIGH-ASSURANCE NETWORK ENCRYPTIONWhatever your Layer 2 Ethernet network security needs, Senetas has a high-assurance solution to suit. They support modest 10Mbps to high-speed 10Gbps links and multi-port 10x10Gbps links.

Scalable, agile and easy to use; Senetas high-assurance encryptors provide maximum security without compromising network performance.

CLEXPO-TP1016

Senetas manufactures high-assurance Layer 2 Metro Area and Carrier Ethernet network encryptors. They support all Layer 2 protocols and topologies.

Our multi-certified encryptors are used by some of the world’s most secure organisations, including governments and defence forces; commercial and industrial enterprises; Cloud, data centre and telecommunications service providers in more than 30 countries.

mailto:infoasia%40senetas.com?subject=

http://www.senetas.com

http://www.gemalto.com/enterprise-security/enterprise-data-encryption

senetas certified high-assurance network data encryption · commonly chosen for encryption. the...

Documents