Product Overview
The CipherEngine Enforcement Point (CEP) Variable Speed Encryptors (VSEs) are bandwidth customizable encryption appliances that provide multi-layer data
protection, including Ethernet frame encryption for Layer 2 networks, IP packet encryption for Layer 3 networks, and Layer 4 data payload encryption for
MPLS networks. The CEP VSEs offer full-duplex, line rate encryption from 3Mbps to 1Gbps using the AES 256 encryption algorithm.
The CEP VSEs enable organizations to standardize on a single platform capable of encrypting at various throughputs, based on software licenses. This allows organizations to continue to use the same encryption hardware as their bandwidth needs increase, providing both flexibility and investment protection. The CEP VSE appliances are designed to meet the security needs of any organization; from a small or home office, to the largest data centers. The CEP VSEs integrate easily into any existing network, operating transparently to the network infrastructure, ensuring your data transmissions are encrypted, without compromising performance.
Ethernet Frame Encryption
The CEP VSEs are compatible with all Layer 2 unicast, multicast, point-to-point, and multipoint-to-multipoint topologies. The CEP VSEs also authenticate all Ethernet frames, preventing man in the middle attacks. Encryption polices can be based on VLAN ID’s for cryptographic segmentation of data, or can be set to encrypt all Ethernet frames.
IP Packet Encryption
Using the IP Security (IPsec) protocol, the CEP VSEs provide full data encryption for Layer 3 IP networks. The CEP VSE family utilizes the CipherEngine Encapsulating Security Payload protocol (CE-ESP) to encrypt the IP packet, while preserving the orginal IP header. This unique functionality maintains network transparency, while providing maximum data protection. By preserving the original header information and encrypting only the payload, the CEP VSEs can protect data over any IP network infrastructure including multi-carrier, load-balanced and high availability networks.
Payload Only Encryption
In addition to standard IPsec encryption, (which encrypts the Layer 4 header), the CEP VSEs offer a Layer 4 compatible “payload only” encryption option for backbone MPLS networks. This unique, patent-pending capability allows network services, such as Netflow/Jflow, and Class of Service (CoS) based traffic
shaping, to be maintained through the service provider network while the payload itself is encrypted.
Central Policy Management
The CEP VSEs can be configured and centrally managed via the CipherEngine Policy and Key Manager. Within CipherEngine, CEP VSEs can be assigned to groups, called Network Sets. Each CEP VSE in a given Network Set is given permissions and policies to mirror the logic of network architectures and application data flows. This grouping capability greatly reduces the complexity of large-scale encryption deployments and enables fully meshed, any-to-any encryption for all network traffic. CipherEngine is also ideal for smaller networks with limited security personnel. It allows security and network administrators to quickly and easily manage network security from a centralized interface with simple drag and drop functionality.
CipherEngine allows for granular control over the definition and configuration of network encryption policies. Encryption policies can be based on source or destination IP addresses, source or destination port numbers, protocol IDs, or VLAN tags. Policies can be quickly and easily modified in seconds
on even the largest networks, without traffic disruptions or remote personnel interaction. CipherEngine also provides log and audit mechanisms which allow you to collect and monitor key data such as CEP VSE status, as well as policy, password and device configuration changes.
Tech Specs
Throughput
CEP10 VSE:
• Choice of 3 Mbps, 6Mbps, 10Mbps, 25Mbps, 50Mbps or 75Mbps encrypted throughput
CEP100 VSE:
• Choice of 100Mbps, 155Mbps, or 250Mbps encrypted throughput
CEP1000 VSE:
• Choice of 500Mbps, 650Mbps, or 1000Mbps encrypted throughput
Encryption Support
• AES: (256 bit keys) CBC mode
• 3 DES
Authentication and Integrity
• HMAC-SHA-1-96
• HMAC-MD5
Network Support
• Ethernet
• VLAN tag preservation
• MPLS tag preservation
• IPv4
• IPv6 (Layer 2 Ethernet encryption mode)
• NTP
Policy Selector Options
• Source or destination IP address
• Source or destination port number
• Protocol ID (Layer 3 IP packet and Layer 4 payload options)
• VLAN ID (Layer 2 Ethernet encryption option)
• Multicast address
Transforms
• CipherEngine Encapsulated Security Payload (ESP) Tunnel mode with header preservation option
• CipherEngine Encapsulated Security Payload (ESP) Transport mode (L4 option)
• CipherEngine Ethernet Encapsulated Security Payload (L2 option)
Device Management
• CipherEngine
• Out-of-band management
• Alarm condition detection and reporting
• Syslog support
• SNMPv2c and SNMPv3 managed object support
• Audit Log
• Management access using X.509 v3 digital certificates
Management Communication Security Options
• TLS (full authentication)
• SSH
• IKE/IPsec
Physical
CEP10 VSE:
• 1U tamper evident chassis
• Dimensions 1.6”H x 8.0”W x 5.8”D
• Rack mountable in standard 19” rack or can be used as desktop
• External Power Adapter: 100-240V A/C @ 1.5A, 50/60Hz, out-put 12V D/C,5A max (60W max)
• Thermal: In-rush 102 BTU/hr, Steady-state 102 BTU/hr
• Nominal input current: 0.25A
• Weight: 3 lbs as rackmount; 1 lb., 5 oz. as desktop CEP100 VSE and CEP1000 VSE:
• 1U tamper evident chassis
• Dimensions 1.75”H x 17”W x 10”D
• Rack mountable in standard 19” rack
• Power: 100-240V A/C @ 4A, 50/60Hz, auto-sensing
• Thermal: In-rush 380 BTU/hr, Steady-state 140 BTU/hr
• Nominal input current: 1.0A
• Weight: 6 lbs
Indicators
• Power
• Alarm
• LED Status
Interfaces
CEP10 VSE:
• Data Interfaces: Two 10/100/1000 RJ45 Ethernet ports
• Management Interfaces: One 10/100 RJ45 Ethernet and one RS232 serial port
• Aux1 RJ45 port is for future use
CEP100 VSE:
• Data Interfaces: Two 10/100/1000 Mbps RJ45 Ethernet ports
• Management Interfaces: One 10/100 RJ45 Ethernet and one RS232 serial port
CEP1000 VSE:
• Data Interfaces: Two full-duplex Gigabit Ethernet ports with SFP interfaces (single mode, multimode or copper)
• Management Interfaces: One 10/100 RJ45 Ethernet and one RS232 serial port
• Management SFP port and Aux1 SFP port are for future use
Environmental
• Operating temperature: 0° to 40° C (32° to 104° F)
• EU WEEE
• EU RoHS-5
Regulatory
• Safety: UL 60950-1
• Emissions for CEP10 VSE and CEP1000 VSE: FCC part 15 subpart B class A
• Emissions for CEP100 VSE: FCC part 15 subpart B class B
