Arcis Multilayer & MPLS Encryption


IDQ’s multi-layer Arcis encryptors are encryption appliances which provide data protection – MPLS encryption, IP packet encryption for Layer 3 networks and Layer 4 data payload encryption – for IP and MPLS networks and for Video and Voice-over-IP applications.


  • MPLS Encryption
  • IPSec Encryption
  • Point-to-Point and Multipoint Encryption
  • Cloud Encryption
  • Voice and Video over IP

For more details, download the applications datasheet.


Arcis encryptors offer full-duplex encryption at rates ranging from 3Mbps to 1Gbps using the leading AES 256 algorithm. In addition, the integrity of the data is guaranteed through use of leading authentication protocols.

The Arcis solution enables organisations to standardise on a single platform capable of encrypting at different layers and at various throughputs. This allows companies to purchase software licenses for their existing encryption hardware as their bandwidth needs increase, providing both flexibility and investment protection. Arcis encryptors operate transparently to the network infrastructure, allowing easy integration without the requirement to upgrade or change the network architecture. The solution is also compatible with load balancing, highly available network designs, QoS and network monitoring tools.


The TrustNet Manager gives network administrators the capability to provision and centrally manage Arcis appliances within large enterprise networks in a secure and easy way.



Arcis encryptors support multi-layer IP network and MPLS encryption for Video and Voice-over-IP applications and managed service (IaaS) environments. In addition the virtual vARC allows to encrypt virtual machines to protect data in the cloud.

L3 IPSec Encryption
Using the IP Security (IPsec) protocol, Arcis encryptors provide full data encryption for Layer 3 IP networks. The IP packet is encrypted, while preserving the original IP header. This unique functionality maintains network transparency, while providing maximum data protection.

L4 Payload Only Encryption
In addition to standard IPsec encryption, (which encrypts the Layer 4 header), Arcis encryptors offer a Layer 4 compatible “payload only” encryption option leaving application identifiers and other TCP/UDP data in the clear. This unique capability allows network services, such as Netflow/Jflow, and Class of Service (CoS) based traffic shaping, to be maintained through the service provider network while the payload itself is encrypted. This option is particularly useful for video & voice communications.

Layer 4 Encryption benefits include:

  • Ability to pass encrypted data through NAT devices
  • Support for policy-based routing and load balancing
  • Lower packet overhead
  • Netflow/Jflow support
  • Infrastructure independent
  • Network high availability and failover transparent
  • Improves performance over Layer 3 IPsec tunnels


Point to Point Encryption
Point to point encryption for data center interconnection and LAN extension (campus network) are supported up to 10Gbps. Latency is between 0.2 and 2.5 milliseconds
Hub & Spoke & Fully Meshed Encryption
Arcis encryptors support unicast, broadcast & multicast encryption for meshed networks. Provisioning and ongoing management of security policies is facilitated through:

  • Protection of any-to-any communications without impacting application performance
  • Group key encryption for ease of configuration and scalability
  • Selective encryption based on different network protocols or security groups

The ability to define group encryption policies from a central location greatly simplifies the installation and management process of network encryption. Changes to the network can be accomplished in seconds using the drag and drop policy builder, even for large networks with multiple, overlapping encryption groups. The result is that it is easy to define and deploy group encryption policies from anywhere using a central server for key generation and distribution.

By avoiding the use of traditional IPsec or Macsec tunnels, group encryption keys greatly reduce deployment complexity and provide fully meshed encryption that is easy to manage.

Group Encryption is well suited to encrypting multicast traffic because traffic encrypted with a group key can be decrypted by all of the group members without re-encapsulating it or rekeying it for each individual destination with a unique key (as is necessary with IKE tunnels).

Encryption groups can easily be created for multicast video or Voice over IP without adding measurable latency or jitter, and without the need to modify native traffic flows. The benefit of this approach is that multicast traffic can be encrypted without changing the application or the network.

A typical multipoint architecture is pictured below:

Encryption in the Cloud
The Arcis TrustNet Manager also supports managed service and cloud environments. This allows support for multiple customers by a single Managed Services provider (MSP), with per-customer control. MSPs can provide a profitable, secure service without impacting their SLAs or other managed services.

Customers can control their security policies and encryption keys but outsource management and hardware support – in other words, they enjoy the benefits of managed services without giving up security. Each customer has secure access to the management GUI for their encryptor set only.

The MSP hosts multiple encryptors, but manages them through a single interface. Each user has control and visibility on their own security policies and group of encryptors, but do not see or have access to any other users within the MSP network.

In addition, cusotmers can encrypt a virtual machine within a third party server to ensure security of thier data in the cloud.

A typical architecture is pictured below.

Features & Benefits

Arcis solutions provide data authentication as well as encryption to ensure both data integrity & confidentiality

Arcis offers significant cost and performance advantages over tunnel based IPSec

  • High performance (supports latency sensitive applications)
  • Easy policy management and automatic, seamless key rotations
  • Group keys facilitate easy & secure management of multicast meshed networks

Arcis works where traditional IPSec does not

  • Encrypts virtual machines in the cloud
  • Layer 3 and 4 networks (IPSec & Layer 4 payload only)
  • Multi-vendor and multi carrier networks
  • Supported networks : MPLS meshed networks, IPSec site-to-site, Voice and Video over IP applications
  • Compatible with load balancing, highly available network designs, QoS and network monitoring tools

Arcis is transparent to networking infrastructures

  • Allows separate control of security polices and network functions
  • Allows secure adoption of new technologies (including cloud infrastructures)
  • Does not impact SLAs, network protocols or business applications

Arcis provides high security with easy management

  • Secure centralised encryptor management for easy policy configuration, implementation and control
  • Built for security & certified FIPS 140-2 for Arcis products
  • Advanced security features including granular policy management & separation of duties (role-based access control)
  • Robust anti-tamper security measures
  • Provides audit trails & alerts, and compatible with standard monitoring tools

Arcis encryption platform allows adjustable bandwidths

  • Reduce upfront costs and allow network evolution
  • Upgrade to higher bandwidths through a software license
  • Compatibility between different bandwidth encryptors on network
  • Bandwidths are based on encrypted throughput only (protocols passing in clear are not limited in bandwidth)

Share on LinkedInTweet about this on TwitterShare on Google+Share on FacebookEmail this to someone