Centauris Ethernet Encryption

SWISS QUANTUM SECURITY

The Centauris family is a range of quantum-safe high-performance Layer 2 wire-speed encryptors; designed to protect data in-transit from 100Mbps to an aggregated 100Gbps. The encryptors integrate transparently and simply into existing networks and can be upgraded to quantum cryptography through the addition of the Cerberis QKD Server for long term data protection.

Applications

  • Data Center Interconnect encryption
  • Data Recovery Center encryption
  • Storage Area Network encryption
  • LAN and MAN  encryption
  • Fully meshed wide area network encryption
  • Multi-tenancy encryption for MSPs

For more details, download the applications datasheet.

Description

ID Quantique’s Centauris network encryptors ensure the protection of data in transit, offering the ultimate combination of high network performance with quantum-safe security. The Centauris platform provides Fibre Channel and Ethernet encryption up to an aggregated throughput of 100Gbps on local and storage area networks for data back-up and recovery, as well as on fully meshed global WAN networks for international operations.

Based on a flexible and scalable platform, they are able to support diverse applications in WAN, MAN and SAN environments. With 100% data throughput up to 10Gbps and industry-leading latency as low as 7 microseconds per link, Centauris is ideal for high-performance network encryption for data centers, metro or campus area networks. Easy-to-use advanced management and monitoring tools, and powerful group key encryption, also ensure easy use for complex multi-point WANs. The encryptors are equipped with customizable bandwidth, with additional bandwidth available through software licenses, to ensure network scalability. All Centauris encryptors of different bandwidths are fully interoperable within the network in point-to-point and multipoint topologies (including the multi-link CN8000).

SECURITY

Centauris encryptors are designed for security, with data encrypted using the proven AES 256 bit algorithm. They are the world’s first encryptors to be compatible with quantum cryptography (see below) to offer quantum-safe data communications. The latest Centauris encryptors use highly secure key material from IDQ’s Quantum TRNG and may be upgraded to include Quantum Key Distribution for long-term data protection. The products are certified according to International Security standards (Common Criteria EAL4+ and FIPS PUB 140-2 Level 3).

MANAGEMENT

Centauris encryptors work in point-to-point modes for Ethernet and Fibre Channel, and point-to-multipoint and fully meshed multipoint modes for Ethernet, supporting the encryption of unicast, broadcast and multicast communications.  All encryptors in the Centauris family are compatible, allowing for example one encryption card in the CN8000 to be connected in a meshed network to multiple other dedicated Centauris encryptors in a campus or wide area network.

Advanced Group Key Encryption ensures easy management of such multipoint environments, with separate keys able to be attributed to different VLANs or MAC addresses. The Centauris platform may be provisioned and managed locally or remotely through a secure management interface, CypherManager, with easy upgrade and diagnostic capabilities. Logs and alerts can be integrated seamlessly into standard SIEM or network monitoring platforms.

QUANTUM-SAFE SECURITY

The latest Centauris encryptors use key material generated by Quantis – IDQ’s Swiss-certified quantum TRNG (True Random Number Generator) – to ensure highly secure, truly random keys.
The Centauris encryptors may be upgraded to “quantum cryptography” through the addition of the Cerberis Quantum Key Distribution (QKD) server to ensure that the solutions are quantum-safe for the long-term protection of sensitive data. This also ensures investment-protection of the encryptors. Such quantum cryptography is provably secure, ensures anti-eavesdropping detection and provides long-term forward secrecy against brute force hacking and attacks by quantum computers.

Additional security is provided by advanced anti-tamper proofing and physical protections, as well as best-practice separation of duties.. State-of-the-art key management ensures seamless and automated security with no manual intervention required. Advanced security features also include granular policy management and separation of duties on a per-device or even per-card level.

Applications

Centauris encryptors work across point-to-point, point-to-multipoint and fully-meshed network topologies.

POINT TO POINT

Centauris encryptors work in point to point mode for high performance data center interconnection, LAN extension or metropolitan backbone conection. They support Ethernet up to 10Gbps, Fibre Channel up to 4Gbps and SONET/SDH up to OC-192, as well as protocols such as Fibre Channel-over-IP or SCSI-over-IP.

POINT-TO-MULTIPOINT AND FULLY MESHED

The Centauris Ethernet Encryptor can also be used to secure multipoint networks across a transparent LAN service (carrier Ethernet service or layer 2 MPLS service). Both hub & spoke and fully meshed topologies are supported. Encryptors operating at different speeds can be used simultaneously in a network (eg. 10Gbps at the HQ connected to 1Gbps or 100Mbps in the field).

  • Unicast, Multicast or Broadcast traffic encryption
  • Support of Encrypt, Discard or Bypass modes
  • Support of Jumbo frames
  • Supports 256 VLANs (802.1Q)
  • Automatic discovery of multicast encryption groups
  • Automatic aging/deletion of inactive groups
  • Secure distribution and updates of keys to all members of multicast groups
  • Fault tolerance to network outages and topology changes
  • Remote management through secured SNMPv3 connection

Multicast and Broadcast Traffic

Multicast and Broadcast traffic between encryptors in line mode (point to point) shares the same single key pair used by unicast traffic.

Multicast and Broadcast encryption within a multipoint network uses an intelligent group key management infrastructure to ensure that each encryptor can share a set of encryption keys per multicast MAC address or per VLAN group. The intelligent group key management scheme which is used for both multicast and VLAN based encryption is responsible for ensuring group keys are maintained across the visible network. This is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise.
For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic.

If communications problems segment the network, the group key management scheme will automatically maintain/establish new group key managers within each segment. Subsequent reconnection of these will instigate a transparent re-electing of a single group key manager.

Features & Benefits

High-performance, state-of-the-art Swiss Quantum security, reducing the cost of company-wide data encryption.

State-of-the-Art Swiss Quantum Security

  • Quantum-safe for long-term data protection – provides future-proof encryption which can be upgraded to quantum cryptography (QKD) to withstand quantum computers (selected encryptors)
  • High quality encryption keys generated through IDQ’s quantum True Random Number Generator (selected encryptors)
  • Group key management to ensure secure, scalable and efficient management of multipoint architectures
  • Support for internal and external Certificate Authority
  • Highly resilient group key management, designed for automatic resilience to network outages and topology changes
  • Secure key exchange with automatic and seamless key change and refresh
  • Leading standards-based encryption – 256-bit AES
  • Built for security and certified (or pending) CC EAL4+ and FIPS 140-2 Level 3

High-Performance Scalable Encryption

  • Encrypted throughput up to 10Gbps with latency as low as 7 microseconds per link
  • Bump-in-the-wire layer 2 encryption does not affect latency sensitive applications
  • Ability to upgrade to higher bandwidths through software licenses for network scalability
  • Encrypts all network protocols for extra security
  • Reduces costs for large-scale data encryption: provides aggregated throughput of up to 100Gbps encryption performance cost effectively at a fraction of the cost of multiple dedicated encryptors
  • Allows companies to encrypt all their data on a company-wide level on a single encryption platform

Transparent to Network and Applications

  • 100% bandwidth available, with no encryption overhead
  • Easy installation into existing network architectures without expensive network equipment upgrades required
  • Low cost maintenance (“set and forget”)
  • Infrastructure neutral: compatible with underlying networking equipment regardless of vendor
  • Support for point-to-point, hub & spoke and fully meshed Ethernet architectures with unicast, broadcast and multicast encryption

Operation

  • Point-to-Point, hob & spoke and multipoint connection modes
  • Multipoint mode may be MAC-based or VLAN based
  • Unicast, Multicast or Broadcast traffic encryption
  • Encrypt, Discard or Bypass modes

Advanced Management Tools

  • Easy policy configuration and efficient & secure daily management through centralized intuitive GUI, with minimal maintenance requirements
  • Management  tools allow easy implementation and monitoring of best-practice security policies (such as Separation of Duties, etc)
  • Local CLI management option
Share on LinkedInTweet about this on TwitterShare on Google+Share on FacebookEmail this to someone