SITLine-detailed - Gulf IT

Separation between network and security functions
External vs. built-in encryption
ı Inside the network


Attack
Attacker often targets network nodes (e. g. router)
hijacked router jeopardizes built-in security
mechanisms
ı Inside encryption device


Network functions and security functions are
(physically) separated inside the device
Device can be managed by different user groups
(e. g. service provider, security officer)
Security settings
Network settings
1
Private lines/connections
Optical and electrical lines can be tapped easily
ı Tapping the Network




Promiscuous Ethernet probes
Ethernet switch taps
Passive optical splitters
Mirror ports (available in many router/switches)
ı Network Tap





Copper: regeneration of signal
Fiber: split of signal, e.g. 50:50, 70:30, 90:10
Completely passive
Identical copy of traffic
Network link will be interrupted once (for installation)
2
Secure landline, radio relay and satellite transmission
R&S®SITLine ETH
ı Ethernet encryptor family up to 40 Gbit/s
ı Advanced cryptographic methods and standards (elliptic curves, AES, X.509)
ı Tamper protection and random numbers
3
Designed with data center in mind
R&S®SITLine ETH10G/40G
ı
ı
ı
ı
ETH10G: 1× 10 GbE (10 Gbit/s) – optical and electrical
ETH40G: 4× 10 GbE (40 Gbit/s ports) – optical or electrical
BSI-certified for German “restricted” (VS-NfD) and NATO restricted
Common Criteria EAL4+ certification*
*pending
4
Protects against espionage and manipulated data
R&S®SITLine ETH100/1G
ı ETH1G: 1× 1 Gigabit Ethernet (1 Gbit/s)
ı ETH100: 1×, 2× oder 4× Fast Ethernet (100 Mbit/s)
ı BSI-certified for German “restricted” (VS-NfD) and NATO restricted
5
Ethernet encryptor for harsh environmental conditions
R&S®SITLine ETH50
ı Ruggedized:
Temperature range for operation -20°C to +70°C, fanless operation, MTBF > 300 000 h
ı Flexible:
Variants with 25, 50, 100 Mbit/s throughput
ı Certified:
BSI-certified for German “restricted” (VS-NfD) and NATO restricted
6
Easy configuration and monitoring
R&S®SITScope
ı Infrastructure as a Service:
Separated security management allows outsourcing
the network management
ı Two-factor-authentication:
Smartcard based authentication of devices and users
ı Automatic configuration adaptation:
Redundant, self-healing management connections
7
Low lifecycle costs thanks to online security
management and separated network management
Supervisor
Manager
Online
security
management
Network management
by service provider
SNMP
TLS
Monitor
ı 2 factor
authentication
ı Roles for users
LAN
ı Manage net plan
ı Create and distribute device certificates
ı Central point for log files and audits
Carrier
LAN
ı SNMPv3 credentials
ı Device and throughput tests
ı Statistical data
8
Professional equipment for encryption
True random numbers and tamper protection
ı Session keys with high entropy
 Based on true random numbers
 Uses maximum key size
 For point-point or group connections
ı Tamper protection
 Physical access to the device (e. g. opening) forces
emergency clear
9
Professional equipment for encryption
Strong authentication and red-black-separation
ı Strong Authentication (Token)
 „Something I have, something I know“ (ownership and
knowledge)
 Device against device, device against server, server
against device, security officer against device, security
officer against server
ı Red-black-separation (No crypto bypass)
 Sensitive unencrypted traffic can not be mixed up with
encrypted traffic
 Physical separation by different plugs/lines inside the
device
10
Key Features and USPs
R&S®SITLine product family
1.
2.
3.
4.
• The only Ethernet encryptor with multiple crypto port devices
• The only Ethernet encryptor with separation of security
management (customer) from the network management
(customer or network operator)
• The only Ethernet encryptor with no need for central key
servers (neither external or built-in) for multicast
traffic/streams
• Rohde & Schwarz is a long-term, reliable and renowned
partner (ISO9001, AQAP)
11
R&S®SITLine Ethernet Encryptor
Performance and security for all organizations
R&S®SITLine
ETH10G/ETH40G
ETH100/ETH1G
ETH50
Number of lines Fast Ethernet
(100 Mbit/s)
Number of lines 1 GbE
-
1, 2 or 4 (ETH100)
1
-
1 (ETH1G)
-
Number of lines 10 GbE
1, 4
-
-
Connector, Transceiver
Optical / electrical
Optical / electrical
Electrical, built-in
Throughput per device
40 Gbit/s
1 Gbit/s
Up to 100 Mbit/s
Cryptography
Operating temperature
Elliptic curve cryptography with 257 bit key (equals 3 200 bit RSA key)
AES with 256 bit key, X.509 certificates
+5°C to +50°C
-20°C to +70°C
MTBF
68 000 h
47 000 h
Power supply
Redundant internal AC/DC,
hot-swap
(data center)
Rack format (19’’, 1 HU)
Redundant internal AC, hot-swap External redundant DC
(data center)
(truck, data center)
Form factor
350 000 h
½ rack format (7,5’’, 1HU,
top-hat rail)
12
Tap-proof communication through encryption
Secure wired and wireless infrastructures
ı
ı
ı
ı
Cryptographic authentication and encryption to protect signaling and traffic
Central security and network management
Session keys are negotiated between communication partners and changed regularly
Possible network taps in between just receives encrypted traffic
Authentication with Auth-Keys
Auth 1
Auth 2
Session
Data encryption with session key
13
R&S®SITLine ETH
Competing encryption technologies
Encryption
Layer 1
(WDM, Link)
Layer 2
(Ethernet)
Layer 3
(IP)
Pros
 No overhead
 Maximum privacy
(encrypted bit stream)
 Low overhead
 Point-Multipoint and
Full-mesh
 Low latency
 High privacy
(encrypted IP packets)
 Flexible use cases
 Point-Multipoint and
Full-mesh
 Mobile use cases
 Cross vendor operation
(IPsec standard)
 Many access services
are IP based
Cons
― Point-Point only
― No integrity protection
― Unchanged pre-shared
keys (No key negotiation
between devices)
― Specific use cases
― IP routing inside
transmission network
impossible
― Overhead, especially in
narrowband and
broadband scenarios
― Latency
― Complexity (IPsec
tunnels)
Encryption for…
Communication links
Switched networks
Routed networks
14
Communications security through encryption
IP VPN and L2 VPN
L2 VPN (Ethernet)
IP VPN
3 Network Layer
IP data
2 Data Link Layer
Payload
IP header
Frame header
15
Encryption modes (1/2)
„Transport“ provides network-transparent security
+ encrypted data has same size than unencrypted (without integrity protection)
+ nearly no impact on data transmission
- Attackers can retrieve information about internal network structure
(address information remains plain/unencrypted)
Encrypted
Original
Frame/
Packet
Footer
Payload
Header
Tags
16
from: A
to: B
Encryption modes (2/2)
„Tunnel“ provides higher privacy
+ Higher privacy due to encrypted address information
- Encryption increases amount of data to be transmitted
- Transmission network must be able to process larger packets
Footer
Header
Tags
Payload
from: A
to: B
Encrypted
Original
Frame/
Packet
Footer
Payload
Header
Tags
17
from: A
to: B
Ethernet encryption provides higher privacy and
saves bandwidth (in comparison to IPsec)
IPsec (Layer 3)
L2
Hdr
IP
Hdr
Payload Data
L2
Hdr
New
IP
Hdr
Encrypted Data
(IP Tunnel Mode)
IV
Distribution IP packets
according to size
(„IMIX Traffic“)
Up to 44%
Ethernet encryption (Layer 2)
L2
Hdr
IP
Hdr
Payload Data
L2
Hdr
Encrypted Data
(L2 Transport Mode)
Size
40 Byte
576 Byte
1500 Byte
IV
18
Quantity
7
4
1
Benefit: Significant savings for network security
19
Encryption for wired and wireless environments
R&S®SITLine ETH
Private/public
connections
between and
within sites
•
VoIP, VCF,
database
queries
Data center
interconnection
•
Carrier/Metro
Ethernet, Fiber
1 GbE/10 GbE
Confidentiality
Radio relay and
satellite links
•
Radio relay/
microwave
transmission,
satellite hops
Rail control
networks
•
Bank CCTV
networks
Barriers,
interlockings,
signals
switches
•
Integrity
20
Video
surveillance,
access control
Encryption for wired and wireless environments
R&S®SITLine ETH
Private/public
connections
between and
within sites
•
VoIP, VCF,
database
queries
Data center
interconnection
•
Carrier/Metro
Ethernet, Fiber
1 GbE/10 GbE
Radio relay and
satellite links
•
Radio relay/
microwave
transmission,
satellite hops
Rail control
networks
•
Bank CCTV
networks
Barriers,
interlockings,
signals
switches
21
•
Video
surveillance,
access control
Confidential communications between sites and
within a single site (L2VPN)
ı Secures video conferences, VoIP calls, database queries, etc.
ı Safeguards lines (point-to-point), star structures (point-to-multipoint) and fully meshed
networks (multipoint-to-multipoint)
ı Protects organizations against espionage and manipulated data
ı Customers: Organizations with widely geographically distributed sites, e. g.




Intelligence Services
Embassy networks
Official Government networks
High Tech Enterprises with subsidiaries
22
One cable– two Carrier services
Managed IP (MPLS IP VPN)
Router, Services, Layer 3
Carrier Ethernet (ELAN, GigE)
Switch, Bridge, Layer 2
Low to mid speeds
Mid to high speeds
Managed service
Self-managed: total control
High QoS
High QoS
Large number of sites
Few sites but at high speed
23
Server
Flat network structure reduces
operational expenditures
ı Ethernet Service ‘extends’ local area network to remote locations (L2 VPN)
ı No dedicated IP subnet configuration required
ı Change carrier without
reconfiguration of IP settings
Carrier Ethernet
24
Encryption for wired and wireless environments
R&S®SITLine ETH
Private/public
connections
between and
within sites
•
VoIP, VCF,
database
queries
Data center
interconnection
•
Carrier/Metro
Ethernet, Fiber
1 GbE/10 GbE
Radio relay and
satellite links
•
Radio relay/
microwave
transmission,
satellite hops
Rail control
networks
•
Bank CCTV
networks
Barriers,
interlockings,
signals
switches
25
•
Video
surveillance,
access control
Secure data center interconnection, Secure storage
area networks (SAN)
ı Central data centers have a redundant design and
therefore must be securely interconnected via highperformance lines
SAN
SAN
Carrier
Dark Fiber
ı State-of-the-art technology for this application is
Ethernet with transmission capacity of at least 1 Gbit/s
ı Customers:

Large enterprises

Data center (e. g. Fujitsu), Trust Center

Core network provider/carrier (e. g. Google)

Cloud Computing Provider (e. g. Apple)
Public connection
R&S®SITLine ETH
26
Encryption for wired and wireless environments
R&S®SITLine ETH
Private/public
connections
between and
within sites
•
VoIP, VCF,
database
queries
Data center
interconnection
•
Carrier/Metro
Ethernet, Fiber
1 GbE/10 GbE
Radio relay and
satellite links
•
Radio relay/
microwave
transmission,
satellite hops
Rail control
networks
•
Bank CCTV
networks
Barriers,
interlockings,
signals
switches
27
•
Video
surveillance,
access control
Safeguarding radio relay and satellite links (SatCom)
R&S®SITLine ETH
ı Ensures information superiority by encryption

transmitted data must be completely free from
manipulation and must not fall into the hands of third
parties
ı Security during the entire radio relay transmission or
during satellite hops
ı Customers



Military Tasks Forces require fast and reliable status
information
Government networks (Ministry of Foreign Affairs) and
critical infrastructures (Energy) need backup
communication
Oil and Gas exploration need strong protection of their
test drilling data
28
Private satellite services
Total control und closed user groups
ı Nearly every public satellite service (Inmarsat, BGAN, etc)
provides IP-based shared Internet access
No use case for the SITLine
ı But: Private satellite services allow protocol agnostic
networks for generic data transmission
 Total
control
 Flexible
network planning / customized network structures
 Bandwidth
 Higher
optimized usage
security (closed user groups)
ı Romantis UHP allows setup of private satellite networks
29
Every Network structure supported
R&S SITLine ETH with Romantis UHP Satellite Modem
Point-to-Point
Point-to-Multipoint
(Star)
Hybrid
Multipoint-to-Multipoint
(fully meshed)
30
R&S®SITLine ETH secures Romantis UHP networks
Application brochure available
31
Encryption for wired and wireless environments
R&S®SITLine ETH
Private/public
connections
between and
within sites
•
VoIP, VCF,
database
queries
Data center
interconnection
•
Carrier/Metro
Ethernet, Fiber
1 GbE/10 GbE
Radio relay and
satellite links
•
Radio relay/
microwave
transmission,
satellite hops
Rail control
networks
•
Bank CCTV
networks
Barriers,
interlockings,
signals
switches
32
•
Video
surveillance,
access control
Integrity protection for railway monitoring and control
networks
ı Secures data transmission between transport hubs
(e. g. railway stations) and central control centers
ı Protects unattended transport hubs against manipulation
ı Provides extended temperature range, installation with
top-hat rail and emergency clear for challenging
environments
ı Customers

Public Transport

Integrators
33
Safety and security for railway monitoring and
control networks
ı Railway monitoring and control
networks is designed to meet safety
requirements

Redundancy

Avoiding mutual interference

CRC checksums to deal with
transmission errors
ı Resilience to man-in-the-middle
attacks requires security functions

Integrity protection

Encryption with strong authentication
ı SITLine integrates security that supports
safety
34
R&S®SITLine ETH50 secures railway networks
Application brochure available
R&S®SITLine ETH50 supports top-hat rail mounting according to DIN rail
35
Ethernet Encryption by Rohde & Schwarz because…
1.
Lowest cost of
ownership
2.
Highest availability
3.
Highest security
• The only Ethernet Encryptor with no need for central key servers
also for fully meshed networks
• Competitive pricing (ETH40G ~50% list price vs. competitors)
• Highest “meantime between failure” value (ETH50 > 10 years)
• Small footprint (1HU devices with option for multiple crypto ports,
up to 40Gbit/s in 1 HU)
•
•
•
•
No single point of failure (autonomous device operation)
Redundant design (power supplies, transceivers)
Redundant management connections – via IP and Ethernet
No downtime for battery exchanges (ETH 40G)
• Development and Production in Germany
• Full validation processing („Store, check and forward“)
• The only Ethernet Encryptor based on hardware security platform
(ETH 40G)
• BSI VS-NfD approved (pending for 40G), CC EAL4+ / FIPS140-2
compliant
36
R&S®SITLine ETH40G
Hardware differences front
SITLine Generation
SITLine ETH50
SITLine ETH100/1G
SITLine ETH10G/40G
Number of Ethernet data
port pairs
1x Fast Ethernet
(100 Mbit)
1x, 2x or 4x Fast Ethernet
(100 Mbit) or
1x 1Gbit Ethernet
1x 10 Gbit Ethernet or
4x 10 Gbit Ethernet
Display
Status LEDs, Port LEDs
Status LEDs, Port LEDs,
LC Display
Status LEDs, Port LEDs
Emergency clear
2 buttons
-
1 buried button, clip required
Device token
USB Smartcard
USB Smartcard
ID-1 Smartcard
SITScope port (SMS)
No, inband only
SMS and inband
SMS (local management)
and inband
SNMP port (NMS)
No, inband only
SMS, NMS and inband
SMS (local management)
and inband
Local management port
USB
USB
SMS (local management)
Electrical contacts for local
alerting
-
-
Yes, inclusive alert reset
button
Place for customer
annotations
-
-
Pull-out plate
37
R&S®SITLine ETH40G
Hardware differences inside and back
SITLine Generation
SITLine ETH50
SITLine ETH100/1G
SITLine ETH10G/40G
Tamper concept
Tactile switch observes
device opening
Tactile switch with inner and
outer security zone
Platform, Tamper Token
Ventilation
passive air flow
left to the right and to the
back
front to back, supports cold
aisle environments
Fans
fan less operation, large
cooling element on the
bottom
Built-in
hot-swap
Power supply
DC, external, redundant
AC, internal, redundant, hotswap
AC, DC, internal, redundant,
hot-swap
Battery
2 built-in coin cells,
exchange requires opening
device and re-initialization
1 built-in coin cell, exchange
requires opening device and
re-initialization
Lithium AA 3,6 V, Battery
exchange during operation
38
20.10.2014
SITLine ETH Level 2 Sales Training (W2)
39