|
|
CipherEngine™
- Enabling Network-Wide Encryption |
Until now,
organisations have been forced to choose between security
best practices, which dictated encryption of all data in
motion, and networking best practices which, among other
things, dictated the
ability to load balance and dynamically route traffic over
redundant links. Now with CipherEngine™ Policy & Key Manager,
organisations no longer have to choose between the two.
CipherEngine is an innovative approach to network-wide encryption. By separating the creation of polices, keys and Security Associations (SAs) into two logical layers and distributing them based on secure user groups, CipherEngine acts as a transparent overlay that integrates easily into any existing network architecture and maintains all of the security capabilities of IKE and IPSec encryption, while removing the traditional limitations, including the lack of scalability and decreased network performance. CipherEngine Features and Benefits Data protection for any type of network:  Hub and
spoke, point-to-multipoint, multipoint-to-multipoint
and full mesh networks Encryption
for MPLS, VPLS and Metro Ethernet Networks Multiple
Policy Enforcement Points (PEPs) can be grouped together
to form security groups Each
enforcement point can protect multiple IP addresses
and subnets Unicast,
broadcast and multicast Supports
native multicast applications Supports
redundancy and load balancing No change
to IP addressing No router
or switch reconfigurations No change
to Layer 2 (VLANs) or 2.5 (MPLS) tags No change
to network infrastructure required Processing
burden removed from routers, allowing them to perform
at maximum capacity MAP & KAP Functionality 
A key differentiator of CipherEngine is the separation of the policy and key management layers from the enforcement layer. It also introduces two functional layers: The Management and Policy Server™ (MAP) and the Key Authority Point™ (KAP). MAP Functionality The MAP™ is a centralized tool where policies are created and distributed. The MAP layer resides on a server and interfaces with network-based AAA services to provide authentication. Within a network deployment there is a single MAP function that also serves as the monitoring and device management portal. Once the policies are created, they are pushed to the next layer. KAP Functionality The KAP™ is responsible for creating keys and SAs based on the policies delivered from the MAP. There can be multiple KAPs in a network deployment and they can be configured in a centralized or distributed fashion. KAPs push the encryption keys and SAs to the Policy Enforcement Points (PEPs) which perform the encryption in the network. When deployed in a distributed hierarchy, KAPs can also push keys and SAs to other KAPs. PEPs, while not part of CipherEngine, are a key component to the Policy & Key Management Architecture™ (PKMA) Multiple PEPs can be grouped together using the same policy in order to allow encryption in point-to-multipoint or multipoint-to-multipoint environments. Once the keys and SAs have been pushed to the PEPs, which are located adjacent to the network perimeter, encryption can take place on a network-wide scale without impacting network topology, and application performance or compromising networking best practices. Investment Protection for Network Managers For those who have made significant investments in their network infrastructure, CipherEngine allows them to get the full performance out of their investments by offloading the complexity and processing burdens of wide-scale encryption to CipherEngine, which enables network data protection best practices to be maintained without impacting network deployments or application performance. |
|
Opt-in to our news letter
group to receive the very latest information regarding Encryption
solutions * required entry. |
|
Opted in to our news letter
group to receive the very latest information regarding Encryption
solutions * required entry. |
|||
|
|||
