CipherOptics – CipherEngine Functional Specification
August 12, 2012CEP functional specification:
- The CipherOptics line of encryptors operate as a Bump in the Wire (BITW). This translates to the encryptor being transparent to the network and applications – no performance impact.
- The CEP neither routes nor switches traffic. It checks each packet received against policy and takes the appropriate action – encrypt, bypass, or drop on packets received on the LAN side or decrypt, bypass, or drop on packets received on the WAN side.
- In Layer 2 mode the CEP will preserve the MAC addresses of the original Ethernet frame, thus allowing the frame to be switched after encryption just as it were if the packet was not encrypted. No changes required to the Layer 2 infrastructure.
- In the CEPs Layer 3 mode, the encrypted packet retains the original source and destination ip addresses, however, the ip next protocol field is changed to 50 (ESP). No changes are needed to the routed network – the encrypted packet has the original src/dst addresses required for routing. The Layer 3 header maintains the DSCP/TOS bits for QoS. The CEPs also operate in Layer 4 mode – this mode maintains the Layer 4 header (TCP/UDP header) in the clear. Only the TCP/UDP payload is encrypted. If the packet is not TCP/UDP, the entire ip payload is encrypted – the ip next protocol field is maintained. The Layer 4 encryption mode allows the following: NAT, setting COS based on port info, policy based routing, and collecting Netflow statistics all after encryption. Also, troubleshooting encrypted networks is easier with the Layer 4 policy as the Layer 4 information is accessible in the WAN.
- The CEP therefore allows the network to perform all switching and/or routing as originally intended – this includes load balancing, failover, etc.
- CEPs can also be configured in an Active-Active scenario where all pertinent encryptors will have the same policies and keys to allow for a packet to traverse any path on the WAN.
- Both Layer 2 and Layer 3/4 mode allows for full, wire rate processing of each packet that passes through the encryptor for:
- AES 256 bit encryption (3DES is an option)
- SHA-1 authentication (MD5 is and option)
- Packet fragmentation/reassembly (if needed – jumbo frames up to 9300 bytes for high MTU are supported to avoid fragmentation) CipherOptics CEP Encryptor Family
- The CipherOptics CEP encryptors are based on throughput:
- The CEP10 has two 10Mbit ports for up to 10Mbit throughput requirements and has an internal throughput of 19Mbit for full duplex packet processing.
- The CEP100 has two 10/100Mbit ports for up to 100Mbit throughput requirements and has an internal throughput of 190Mbit for full duplex packet processing.
- The CEP1000 has two 1Gbit ports for up to 1 Gbit throughput requirements and has an internal throughput of 1.9Gbit for full duplex packet processing. The CEP1000 is SFP based and supports copper, MM fiber, or SM fiber SFPs.
- The CEP100 will therefore suffice for DS3 (45Mbit) throughput requirements.
- The CEP100 has copper only 100Mbit ports and will only negotiate its speed to 10/100 mbps. CipherOptics CipherEngine general functional specification
- CipherEngine software/hardware allows for:
- Easy, centralized, and GUI based management of encryption policies and keys.
- Redundant key servers generate and distribute keys to CEP encryptors. They operate in active/standby mode.This process vastly simplifies how encryption policies are configured and maintained.
- Endpoint encryptors no longer have to negotiate keys, nor are encryption tunnels created on the network, allowing the network to function as it was designed.
- Policy and key centralization allows for policy management to be completed in seconds via policy creation/change, whether the environment contains 8 encryptors or 800 encryptors.
- User created, per policy key intervals allow for the changing of keys when it’s most appropriate for the organization. Also available is anytime manual re-keying which enables the easy changing of keys at any time for any reason, regardless of any pre-defined keying interval.
- Centralized CEP encryptor maintenance allows for multiple encryptor software updates, configuration updates and reporting.
- CipherEngine GUI resides on a Windows OS and is simply used to manage encryptors as well as policy creation and distribution, and thus does not need to be running for the encrypted environment to function.
- Performance impact of CipherOptics CEP encryptors
- In terms of throughput, the CEP encryptors perform at wire rate at the theroretical maximum of the IPSec standard.
- In terms of latency, the CEP100 encryptors inject a minimal amount of latency into the network and is measured in microseconds (1/1000th of a millisecond):
- Average latency is below 100 microseconds.
- In other words, there is no performance impact, regardless of network or application. Latency sensitive applications such as VOIP and Video are not impacted by encryption.
- CipherOptics CEP Maintenance
- Software updates occur on average two times a year.
- It is recommended that all CEP encryptors are up to date with the latest software.
- Platinum service includes next business day replacement for defective encryptors. If the SLA for downtime is less than 24 hours, then spare encryptors are recommended.
- CipherOptics downtime
- CEP encryptors rarely fail with a third party validated MTBF of approx. 10 years.
- Should an encryptor fail, it will fail closed, thus allowing the network to provide failover, which can be from a number of methods:
- Multiple encryptors can be configured on a single link via a spanning tree to provide high availability.
- Multiple encryptors can be configured on a single link via a link aggregation group to provide both high availability and aggregated throughput.
- Normal network rerouting, via HSRP for example, on multiple links is fully supported should network traffic