Main Menu > CEP100

CEP100

The CipherEngine Enforcement Point (CEP) is a flexible encryption appliance that provides Ethernet frame encryption for Layer 2 Ethernet networks, IP packet encryption for Layer 3 networks, and Layer 4 data payload encryption for MPLS networks. The CEP100 offers full-duplex line rate encryption at 100Mbps (200Mbps aggregated) using the AES encryption algorithm.

The CEP100 enables organizations to standardize on one platform for any small, medium or remote branch office networks. CEPs integrate easily into any existing network, operating transparently to the network and ensuring all of your data transmissions are encrypted.

Ethernet Frame Encryption
The CEP100 is compatible with all multipoint-to-multipoint Ethernet, point-to-point Ethernet and Layer 2 multicast or unicast topologies. As part of the encryption process with the CEPs, each and every Ethernet frame is authenticated. The CEPs can encrypt data based on the VLAN ID or they can simply encrypt all Ethernet frames.

IP Packet Encryption
Using IP Security protocol (IPsec), the CEP100 provides full data encryption for Layer 3 IP networks at 100Mbps (200Mbps aggregated).The CEP family utilizes the CipherEngine Encapsulating Security Payload protocol (CE-ESP) to preserve the original IP packet header and encrypt just the payload. By preserving the original header information and encrypting only the payload, the CEPs can encrypt data over load-balanced, redundant and resilient networks.

Payload Only Encryption
Unlike standard IPsec encryption which encrypts portions of the Layer 3 header, the CEPs offer a Layer 4 “payload only” encryption option for backbone MPLS networks. This unique capability allows network services such as Netflow and Network Address Translation (NAT), which utilize information in the Layer 4 header, to continue to operate while the data is encrypted.

Central Policy Management
Configuring and managing the CEPs is easy with CipherEngine. Within the CipherEngine policy and key manager, CEPs can be assigned to groups, called Network Sets. Each CEP in a given Network Set is given the same encryption key material. This grouping capability greatly reduces the complexity of large-scale IP encryption deployments and enables fully meshed, any-to-any encryption for all network traffic on any network.
CipherEngine provides granular control over what gets encrypted on the network. Traffic encryption is set by policy definition and can be based on source IP address, destination IP address, source port number, protocol ID, or VLAN tag ID. CipherEngine also provides log and audit mechanisms which allow you to collect and monitor key criteria such as CEP status, policy changes, device configuration changes, and password changes. With CipherEngine, you can
perform real-time additions, changes and deletions across your global network.

Tech Specs

Encryption Support
• AES: FIPS 197 (256 bit keys) CBC mode

Authentication Methods
• X.509 v3 digital certificates
• Pre-shared secrets
• HMAC-SHA-1-96

Device Management
• CipherEngine
• Out-of-band management (TLS and SSH)
• Alarm condition detection and reporting
• Syslog support
• SNMPv2C managed object support
• Audit log

Transforms
• CipherEngine Encapsulated Security Payload (ESP) Tunnel mode with header preservation option
• CipherEngine Encapsulated Security Payload (ESP) Transport mode (L4 option)
• CipherEngine Ethernet Encapsulated Security Payload (L2 option) Policy selector options
• Source IP address, destination IP address, source port number, destination port number, protocol ID (Layer 3 IP packet and Layer 4 payload options)
• VLAN ID (Layer 2 Ethernet encryption option)

Performance
• Up to 100Mbps (200Mbps aggregated) AES encrypted throughput

Network Support
• Ethernet
• VLAN tag preservation
• MPLS tag preservation
• IPv4
• SNTP

Interfaces
• Data interfaces: Two 10/100Mbps RJ45 Ethernet ports
• Management interfaces: One 10/100 RJ45 Ethernet and one RS232 serial port

Regulatory
• Safety: UL 60950-1, First Edition (2001), CSA-C22.2 No. 60950-1 First Edition (2001), EN 60950-1:2001
• Emissions: FCC part 15 subpart B class B; CS IECS-003 Class B, ANSI C63.4 - 2003, EN 55022:2006 Class B, EN 61000-3-2:
2006, EN 61000-3-3:1995/A1:2001/A2:2005, CE Marking -2004/108/EC
• Immunity: EN 55024:1998/A1:2001/A2:2003, IEC 61000-4-2:1995/A2:2000, IEC 61000-4-3:2002, IEC 61000-4-4:2004, IEC 61000-4-5:1995/A1:2000, IEC 61000-4-6:1996/A1:2000, IEC 61000-4-8:1993/A1:2000, IEC 61000-4-11:1994/A1:2000, AS/NZS CISPR 22:2006 Class B

Environmental
• Operating temperature: 0° to 40° C (32° to 104° F)
• EU WEEE
• EU RoHS-5

Physical
• 1U tamper evident chassis
• Dimensions 1.75”H x 17”W x 10”D
• Rack mountable in standard 19” rack
• Power: 100-240V A/C @ 4A, 50/60Hz, auto-sensing
• Thermal: In-rush 380 BTU/hr, Steady-state 140 BTU/hr
• Nominal input current: 1.0A
• Weight: 6 lbs

Indicators
• Power
• Alarm
• LED status

Certifications
• FIPS 140-2 Level 2

Ethernet frame encryption

Encrypts entire Ethernet payload

Data protection independent of the Layer 3 protocol

IP packet encryption

IPsec

ESP encryption with tunnelless option

Site-to-site IPsec over public or private networks

IP header option IP header preservation or virtual IP address

Option to preserve the original IP address in the IPsec header allowing encrypted traffic to be load balanced

IP payload encryption Layer 4 option Preserves IP headers for MPLS traffic engineering

Encryption across different network layers

Define encryption rules for Layer 2, 3 and 4 encryption Flexible configuration and deployment

Group policy creation Group key distribution

Allows for encrypted groups based on VLAN associations or topology (any-to-any, hub and spoke, or multicast)

Flexible policy control Selectable policy type Single device for Layer 2, Layer 3 or Layer 4 encryption