We have to bolt down all our doors and windows to ensure our corporate information is not left out in the open. If sensitive corporate data flows in the clear, be wary of unauthorized access by trespassers who could gain entry through the information highway. We use private and public data networks
to send sensitive and confidential information. As networks become more accessible, security risks also rise.
We rely on cryptography to mask messages so only we can see them. Original data is in plain text and when disguised it is called ciphertext. By encrypting our data before we go on the WAN, unauthorized access to the data is prevented.
There are two schools of thought. Some prefer traditional routers, which sit at the periphery of the network to handle link encryption. Others say, “”the right box for the right job”” — they want stand-alone hardware encryption devices, keeping the security administration separate from routers and network hardware.
Whichever approach you subscribe to, it should be an all-encompassing approach. When access to the hardware is not controlled — that is physical access to the router gives expert users total control over the router — then all software security measures become compromised. Link encryptors minimize the risk of undetected manipulation.
It’s a good idea to make encryption hardware independent yet always compatible. It should be completely independent of the IT environment and its network’s operating system. The security systems can continue to operate regardless of changes or upgrades. We can ensure red/black separation, that is the parts of an encryption system that handle plain text — red information and keys are strictly separated from parts that handle cipher text (black information). In this way, plain text channels can’t compromise secret keys.
It’s vital to ensure the keys and their accompanying algorithms are safeguarded within the confines of a tamper-resistant hardware security module. Any detection of tampering attempts should destroy sensitive data.
At the same time, we have to ensure over-the-wire privacy link encryptors act independently of the network protocol equipment. If you have sensitive data that needs to go on the WAN, it is a good idea to position a link encryptor as an interface standing guard between your organization’s intellectual assets and the WAN.
One such device, SafeNet’s SafeEnterprise Link Encryptor is equipped with AES or Triple-DES encryption algorithms, fully automatic Diffie-Hellman public key management, support from 2.4Kbps to 52Mbps and support for HSSI, V.35, RS-232, T1, E1 and T3 interfaces. It’s compliant with FIPS 140-1 (3DES models — Level 3 physical, Level 2 overall). It comes with a front-panel touch pad and LCD display for easy set up, and status and alarm monitoring. For secure remote configuration management and status or alarm monitoring, you can deploy SafeEnterprise Security Management Center (SMC).
Let’s test out the SafeEnterprise Link Encryptor (SLE) and approach it with a dose of healthy skepticism and respect for the seriousness of security.
Connect the SLE with WAN cables on the designated DTE/NET ports. The SLE allows management and monitoring of encryption operations through the front panel or via IP connectivity-based SMC software.
We will do a quick install, that is, turn the physical Medeco key to “”enable.”” Set the clock source — the default is from NET (Public). Set interface type (V.35), set D-H or manual key exchange. This should be fairly straightforward, as we use a manual key exchange. One SLE of a mated pair generates a key using set manual key, enabling you to generate key system functions. We use the G1, G2, G3 and G4 field data of the generated key from one SLE to manually enter in the E1, E2, E3 and E4 fields using the enter key command on the other. Now both encryptors are using the same key. Finally, you can set the mode to secure and remove the Medeco Key to finish.
It is indeed very easy — all configurations can be done via front-panel buttons with the guided configuration menu. The product documentation is user-friendly. Go straight to Appendix A. Here, menu options and flow charts show you how to set-up the unit. From the display and keypad your security officer gets access to various functions, such as event logs, key management, network management, system tests and system info.
The link encryptors do not need operator intervention during normal operation. It is fully capable of automatic start-up and resynchronization, even after a power outage. For large deployments use the central-site, rack-mount, high-density, chassis-based, space-saving version.
Pricing begins at US$3,600.
If your requirement dictates high security, system independence away from your routers, gateways and other mundane network hardware, then install Safenet’s SafeEnterprise Link Encryptor. It will definitely meet your aspirations on high-grade WAN security.