Product Overview
Protecting data in motion has become a high priority for a growing number of companies and governments. The growing threat of data theft and the increased regulatory pressure to protect data has moved encryption of data in motion from a “nice to have” technology to a budgeted project for many companies.
However, companies that have deployed IPsec VPNs across their network have discovered that while encryption is a superior form of data protection, the deployment and management of IPsec VPNs is complicated, time consuming and largely incompatible with other network requirements, such as application performance, intelligent traffic routing and reliability. The IPsec VPN technology is also incompatible with a growing number of cost-effective Layer 2 service options, such as Metro Ethernet E-LAN, E-LINE, and VPLS forcing companies needing encryption to find another way to achieve such security.
We address this need in the market with the introduction of CipherEngine, a groundbreaking group encryption solution that makes encryption easy to install, simple to manage and transparent to any infrastructure, topology or application.
Examples of CipherEngine encrypted groups include:
• MPLS full mesh
• IP Hub and Spoke
• VPLS Mesh
• Metro Ethernet point-to-multipoint
• MPLS Multicast
• Multi-carrier infrastructures
• Mixed vendors infrastructures
The CipherEngine solution has the added benefit of decoupling the security from the networks’ routed or switched infrastructure, providing additional security through role and access segmentation.
CipherEngine also eases network troubleshooting, which is very difficult to do with other methods of transport encryption.
Product Architecture
CipherEngine provides comprehensive security services including confidentiality, authentication, and entitlement between communication entities.
Based on centralized policy definition, scalable key and policy distribution and secure endpoint grouping (Group Encryption), CipherEngine leverages purpose-built, high-speed encryptors to deliver robust security that is highly scalable, easy to manage and transparent to latency sensitive applications such as VoIP and Multicast Video.
Tunnel-Less Group Encryption
Unlike IPsec VPNs and other router-based solutions, CipherEngine eliminates the need to configure encryption tunnels or set up predetermined device pairs for key negotiation. Instead, it enables network or security administrators to centrally define security policies based on trusted groups, and then dynamically push group encryption keys to the enforcement points.
The ability to define one or more group encryption policies from a central location greatly simplifies the installation and management process of network encryption. Adds, moves and deletes can be accomplished in seconds, even for large networks with multiple, overlapping encryption groups.
Rekeys can be accomplished at anytime with the click of a button or can be scheduled to take place automatically based on a configurable schedule.
How it Works
A CipherEngine solution has three primary components, each with a distinct function.
• A Management and Policy (MAP) server, where group encryption policies are defined (Figure 2). It also includes an appliance management tool used for configuring, updating, and maintaining the enforcement points.
• A Key Authority Point (KAP) that generates and pushes encryption keys based on the group policies it receives from the policy server.
• CipherEngine Enforcement Points (CEPs), which are high-speed, low latency encryption appliances that deliver full duplex, line-rate performance for 10Mbps, 100Mbps, and 1Gbps. The CEPs are policy configurable to support Layer 2, Layer 3 or Layer 4 encryption.
CipherEngine Management and Policy Server
The MAP (Figure 3) is a rich-client application used to define group encryption policies.
A CipherEngine group encryption policy defines which networks and subnets will be protected and then groups them together. These encryption groups are
referred to as “Network Sets” within CipherEngine. An encryption group can have one or more policy associated with it (based on priority). The Network Set
view in MAP allows the user to create, edit, delete, and view the status of all Network Sets and encryption groups.
Once the Network Sets are created, the security policies governing them are defined. Each group policy specifies the re-key periods, the encryption and hash
algorithms to be used and whether the key generation technique being used is based on specific Network Sets or a global policy. Policy filtering criteria can be high level, such as “encrypt everything,” or more granular, specifying traffic based on IP addresses, protocols, or VLAN IDs.
The MAP enables the security administrator to monitor the working status of all KAP and CEP units in the deployment. This monitoring capability includes information about units that are not responding, are in error or where policy deployments have not been completed.
CipherEngine also provides a set of user roles to support role-based access to MAP and auditing responsibilities.
CipherEngine KAP: Key Creation and Deployment
The Key Authority Points handle all of the key generation activities in a CipherEngine deployment. Once the group encryption policy is defined, the MAP sends a metapolicy containing all of the information regarding each policy to the KAP. This includes the action (encrypt, clear, or drop), the lifetime of the policy, the encryptors that enforce the policies, and what kind of traffic the policy acts on. The KAP then generates the required group encryption keys and sends the appropriate policies along with the shared keys to each of the encryptors.
The KAP operates continuously; generating new keys, responding to MAP requests and when necessary, resending failed messages. In deployments where redundancy is required, a backup KAP can monitor the primary KAP policies. In the event of a failure, the backup KAP will perform a network rekey and take over operation automatically until the primary KAP returns to operational status. The KAP reports status information to the MAP not only for itself but
also for its protected CEP units.
A KAP can be installed on a local Windows machine running as a separate application on the same workstation as the MAP software, or it can be purchased as a 1U rack mountable appliance. All group policy and encryption key distribution is protected through TLS and occurs through the management port of the KAP and CEP.
When the keys that have already been deployed are nearing expiration, the KAP automatically generates new keys and pushes them out to replace the expiring keys. This auto renew feature for the keys can be set to occur at specified intervals or at specific times. Key updates are completed in such a way to ensure that no packets are sent in the clear or dropped during the rekey process.
CipherEngine Enforcement Point (CEP):
The MAP allows users to configure, update, maintain and troubleshoot the CEPs in a deployment. Our network encryptors are wire-speed
encryption appliances providing flexible IP packet encryption, Ethernet Frame encryption or TCP/UDP payload only encryption in a single appliance.
The CEPs are available in three models;
10Mbps, 100Mbs and 1Gbps.
The CEPs can operate in what is called “Network Mode.” Network Mode includes a number of functions, including:
- Copying the inner IP addresses on a packet to the outer tunnel addresses
- Copying the original MAC addresses to the outbound packet
The CEPs are available in several models, offering full-duplex wire-speed encryption at 10Mbps, 100Mbs or 1Gbps.
Transparent Group Encryption:
CipherEngine’s ability to deploy transparent group encryption over any infrastructure or topology is made possible by the solution’s ability to encrypt only the “payload” portion of a frame or packet and leave the header information in the clear (Figure 5). For example, CipherEngine Layer 2 encryption not only leaves VLAN information in the clear, but allows group encryption policies to be based on VLAN IDs.
CipherEngine also allows users to create IP or MPLS encrypted groups for multiple topologies. Only CipherEngine has the ability to encrypt the data payload while leaving the Layer 4 header in the clear.
This unique capability preserves network services that rely on information contained in the Layer 4 header, such as traffic shaping, CoS-based routing, and Netflow or J-Flow. Encryption groups can easily be created for multicast video or Voice over IP without adding measurable latency or jitter, and without the need to modify native traffic flows.
Solution Applications:
Layer 3 WAN (IP/MPLS) Encryption:
While MPLS and other forms of IP transport remain popular due to their improved performance and cost benefits over private lines, there is now broad consensus that the logical segmentation offered by MPLS is not secure and is not an adequate form of data protection. With CipherEngine, organizations can now secure their data across the WAN using group encryption policies that mirror their WAN transport topologies and application flows. CipherEngine offers transparent data privacy and regulatory compliance without any changes required to the existing infrastructure.
Layer 2 WAN (Metro Ethernet/VPLS) Encryption:
Customers using Layer 2 technologies for their WAN are often forced to deploy point-to-point encryption solutions, or worse, introduce latency-inducing Layer 3 VPNs, to secure their data in motion. CipherEngine allows companies to secure their data with a native encryption solution that can secure any Layer 2 topology, including multipoint-to-multipoint or mesh. Only CipherEngine allows a group encryption policy to be based on VLAN IDs, allowing companies to cryptographically segment their VLANs.
VoIP/Multicast Video Encryption
VoIP and multicast video are two of the fastest growing network applications. Organizations recognize the need to secure these applications, but concerns about the latency and jitter of IPsec VPNs often lead to these applications operating in the clear. With CipherEngine, encrypting VoIP or Video can be accomplished without impacting quality or adding jitter. CipherEngine offers group encryption policies for multicast, full mesh, and hub and spoke topologies. This allows applications to flow in their native environment without redirects and without burdening the infrastructure with the CPU intensive tasks of policy look up and encryption.
Data Center and Private Cloud Security
CipherEngine makes it easy to encrypt data coming in and out of data centers and private clouds. By creating encrypted groups and setting a “deny all, permit by encryption group association” policy, enterprises can not only protect their data in motion, but can also ensure that the data was not modified in transit, as CipherEngine authenticates on a packet by packet basis. In addition, the wire speed capabilities of the CEP line of encryptors make it possible to discard unauthorized packets at wire speed, helping to mitigate against DDoS and other brute force attack vectors.
Encryption as a Service
CipherEngine is an ideal solution for service providers looking to offer Encryption as a Service (EaaS). CipherEngine allows service providers to add an encryption service without altering the existing network infrastructure, or modifying the customer-premise router/switch. The unique ability to leave the Layer 4 header in the clear ensures that this value-added security does not impact SLA’s that use Layer 4 information to shape or monitor traffic.
Public Internet and Multi-Carrier
For enterprises that use the public Internet, CipherEngine offers a single solution to deploy and manage group encryption. Even in mixed carrier, off-net and extranet environments, CipherEngine offers group encryption management on a single platform.
