R&S®SITLine ETH Ethernet Encryptor
Contents
1. ine 25 Mbit s R amp S SITLine ETH50 25 5401 8830K02 ine 50 Mbit s R amp S SITLine ETH50 50 5401 8830K02 ine 100 Mbit s R amp S SITLine ETH50 100 5401 8830K02 R amp S SITLine ETH100 rack format 19 1 HU 1 line 100 Mbit s R amp S SITLine ETH100 110 5401 7004K11 2 lines 100 Mbit s R amp S SITLine ETH100 210 5401 7004K12 4 lines 100 Mbit s R amp S SITLine ETH100 410 5401 7004K13 R amp S SITLine ETH1G rack format 19 1 HU ine 1 Gbit s R amp S SITLine ETH1G 110 5401 6820K11 R amp S SITLine device token one token required per device USB token smart card 5410 0650 04 R amp S SITScope ETH security management Server hardware set consisting of server hardware keyboard and mouse R amp S SITScope ETH HW 5410 8400K13 basic software unrestricted GUI license 1 R amp S SITLine terminal license 3 root tokens 2 supervisor tokens 2 manager tokens Server software set consisting of basic software R amp S SITScope ETH SW 5410 8400K53 unrestricted GUI license 1 R amp S SITLine terminal license 3 root tokens 2 supervisor tokens 2 manager tokens R amp S SITLine ETH manuals User manual R amp S SITLine ETH100 R amp S SITLine ETH1G German 5401 8900 31 User manual R amp S SITLine ETH50 German 5401 8875 31 User manual R amp S SITLine ETH100 R amp S SITLine ETH1G English 5401 8900 32 User manual R amp S SITLine ETH50 English 5401 8875 32 Data sheet for R amp S SITLine ETH100 1G see PD2. thernet Encryptor Secure data nemen via landline radio relay and satellite links Secure Communications ive DE amp meer z mem R amp S SITLine ETH Ethernet Encryptor At a glance The R amp S SITLine ETH is a family of devices for Ethernet encryption and creating secure layer 2 virtual private networks L2 VPN The R amp S SITLine ETH protects companies and organizations against espionage and manipulation of data that is transported via Ethernet over landline radio relay or satellite links The devices in this product family are BSl approved and can be used in a flexible manner in many stationary and mobile applications R amp S SITLine ETH100 The R amp S SITLine ETH performs encryption on an Ethernet basis in the ISO OSI model s data link layer layer 2 and is thus ideal to protect applications where through put and time are critical Communications links over public and private networks can be protected Using R amp S SITLine ETH the security requirements can be repre sented fully independently of the existing or planned net work structure Because Ethernet significantly reduces costs it has become established in recent years as a true network ing alternative to managed IP connections The R amp S SITLine ETH provides different models and perfor mance classes The R amp S SITLine ETH family is a flexible solution to meet changing requirements for a high lev
3. cryption parameters can be configured for the individual communications relationships completely independently of the transported network structure e g IP subnets This makes it possible to outsource network responsibility while keeping security under the user s full control Security management The R amp S SITLine ETH combines two strictly separated management instances 1 Security management system SMS 1 Network management system NMS The security management system is an autonomous in stance with the user s security officer as its central point The security officer has complete control over all security parameters and functions All communications between the SMS and the individual devices are just as highly pro tected as the actual data links Syslog can be used for inte gration into any existing log book systems from third party suppliers The network management system can be used to inde pendently control parameters for participating networks For reporting purposes the devices use traps to send sta tus messages These messages can be evaluated by the supplied R amp S SITLine administration software or by any SNMP capable management program The two independent reporting mechanisms Syslog for SMS traps for NMS monitor the availability of the infra structure in two different ways R amp S SITLine ETH100 4 port device CI LI LT r3 LI R amp S SITLine ETH50 s
4. 1 Flexible encryption hardware 1 Manipulation proof devices 1 Variable operating modes D page 7 Independent secure management 1 Separation of network management and security management gt page 8 Automatic link setup 1 Redundant link structure to the security management system 1 Self organizing and self healing 1 Automatic setup of encrypted links D gt page 9 R amp S SITLine ETH1G Rohde amp Schwarz R amp S SITLine ETH Ethernet Encryptor 3 Safeguards civil official and military communications Originally used only in local area networks LANs today Ethernet is a universal transmission technology for wide area networks WANs This makes interconnecting sites over global networks just as easy as in house cabling Unfortunately this also means a greater susceptibility to attacks from the public network These networks are just as easy to eavesdrop on manipulate and disrupt as ordinary computer networks The BSI approved R amp S SITLine ETH safeguards communications through consistent encryption on the Ethernet layer R amp S SITLine ETH safeguards public and private Ethernet connections over landline radio relay and satellite links Confidential communications between sites and within a single site L2 VPN Video conferences VoIP calls database queries the con fidentiality of communications links within organizations must be safeguarded in order to prevent espionage and undesired manipu
5. layer 2 systems resulting from major update and upgrade cycles is significantly lower than for other solutions Net payload rate capacity utilization 100 90 80 10 Transmission payload 60 50 40 4 30 250 500 750 1000 1250 1500 Size of packets transmission units IP over Ethernet L2 encryption without ICV L2 encryption with 8 byte ICV IPSec encryptior For a medium sized packet size of 250 byte the R amp S SITLine ETH has a significantly higher net payload than IPsec encryption R amp S SITLine ETH gt 9096 L2 encryption IPsec encryption 75 Professional certified security Ethernet is a fixed universal standard for data transmission via cable and radio However it does not protect the confidentiality or integrity of the transmitted data The R amp S SITLine ETH provides the necessary protection in a significantly more efficient and effective manner than other solutions It has been approved by the Federal Office for Information Security BSI for handling of classified documents up to the German restricted VS NfD level Secure authentication The R amp S SITLine ETH uses the following technologies and standards for secure authentication 1 Asymmetric cryptography using elliptic curves with a 257 bit key roughly corresponds to 3200 bit RSA key 1 X 509 v3 certificates for persons and equipment 1
6. 5214 0724 22 Data sheet for R amp S SITLine ETH50 see PD 5214 4607 22 Product brochure for R amp S SITScope see PD 5213 8351 11 and www rohde schwarz com Rohde amp Schwarz R amp S SITLine ETH Ethernet Encryptor 11 About Rohde amp Schwarz Rohde amp Schwarz is an independent group of companies specializing in electronics It is a leading supplier of solu tions in the fields of test and measurement broadcasting radiomonitoring and radiolocation as well as secure communications Established more than 75 years ago Rohde amp Schwarz has a global presence and a dedicated service network in over 70 countries Company headquar ters are in Munich Germany Environmental commitment 1 Energy efficient products 1 Continuous improvement in environmental sustainability Certified Quality System ISO 9001 Rohde amp Schwarz SIT GmbH Am Studio 3 D 12489 Berlin Phone 49 30 65884 223 Fax 49 30 65884 184 E Mail info sit rohde schwarz com www sit rohde schwarz com Rohde amp Schwarz GmbH amp Co KG www rohde schwarz com Regional contact 1 Europe Africa Middle East 49 89 4129 12345 customersupport rohde schwarz com 1 North America 1 888 TEST RSA 1 888 837 87 72 customer support rsa rohde schwarz com 1 Latin America 1 410 910 79 88 customersupport la rohde schwarz com 1 Asia Pacific 65 65 13 04 88 customersupport asia rohde schwarz com 1 China 86 800 810 8228 86 400 650 5896
7. Secure storage and transport of confidential parameters using smart card technology Before a link is set up users are securely authenticated using the certificate issued by the security management system and parameters that are securely provided via a smart card token A unique set of keys is generated for each management connection and for each of the up to 4000 data connections per device Key agreement is per formed in accordance with the Diffie Hellman protocol For key generation the R amp S SITLine ETH uses a true hard ware based random number generator which is certified in accordance with Common Criteria EAL4 Te Pe HB GG Gg gn gn g ET Flexible encryption hardware Symmetric algorithms AES 256 are used These are inte grated into powerful hardware Special customer requests regarding the cryptographic method can be taken into ac count upon request Manipulation proof devices The R amp S SITLine ETH features not only cryptographic core functions but also an intricate system of mechanical and electromechanical security functions This includes layered security zones protected memory protective mechanisms against mechanical manipulation and further security func tions to counteract attempts to steal or manipulate secure confidential information Variable operating modes Depending on the traffic profile and the device model the R amp S SITLine ETH supports different operating modes 1 Point to point Ether
8. UEM MC Mi E P R amp S SITLine ETH50 lle a Mull Security management is global for all locations and takes place online for all R amp S SITLine ETH devices in the network Security management does not affect network management Automatic link setup Putting additional systems into operation in an existing complex network can be a challenge This is particularly true for the configuration and organization of the links to the security management system Ethernet encryptors must offer excellent security encompassing confidentiality authenticity and integrity while simultaneously meeting demanding requirements for network performance and availability The R amp S SITLine ETH simplifies this process through self organization of encrypted links thereby eliminating the risk of faulty configurations Automatic link setup e y N W ooo o ooo e R amp S SITLine ETH5O R amp S SITLine ETH50 e e Om CET somna LOI 0000 TODO ODD J The R amp S SITLine ETH can be preconfigured before it is sent to the operating site On startup it automatically sets up encrypted L2 links The same applies to backup devices Redundant link structure to the security management system The SMS can directly access an R amp S SITLine ETH via each of the device s interfaces local mana
9. customersupport china rohde schwarz com R amp S is a registered trademark of Rohde amp Schwarz GmbH amp Co KG Trade names are trademarks of the owners Printed in Germany ch PD 5214 0724 12 Version 04 00 February 2012 R amp S SITLine ETH Data without tolerance limits is not binding Subject to change 2008 2012 Rohde amp Schwarz GmbH amp Co KG 81671 M nchen Germany 5214072412
10. 509 v3 certificates AES with 256 bit key CFB interleaved mode other standard algorithms or customer specific algorithms upon request after two days inband after two days inband R amp S SITLine ETH50 1 electrical built in 25 Mbit s 50 Mbit s 100 Mbit s 64 after one to seven days can be configured and deactivated inband independent of security management supports SNMP versions v1 v2c and v3 R amp S SITLine administration soft ware for stand alone operation R amp S SITScope German restricted VS NfD NATO restricted interoperability test Common Criteria EAL 4 5 C to 50 C 20 C to 70 C 51000 h 110 V or 240 V 50 Hz or 60 Hz rack format 19 1 HU 438 mm x 61 mm x 498 mm 17 2 in x 2 4 in x 19 6 in R amp S SITLine administration soft ware for stand alone operation German restricted VS NfD NATO restricted interoperability test Common Criteria EAL 44 49000 h 110 V or 240 V 50 Hz or 60 Hz max 5 2 kg 11 5 Ib including installation fixtures max 16 kg 35 3 Ib German restricted VS NfD NATO restricted interoperability test Common Criteria EAL 44 20 C to 70 C 40 C to 70 C 350000 h without fan 24 V DC to 60 V DC half rack format 7 5 1 HU top hat rail DIN rail 190 mm x 36 mm x 190 mm 7 5 in x 1 4 in x 7 5 in max 1 5 kg 3 3 Ib max 3 kg 6 6 Ib Ordering information R amp S SITLine ETH5O half rack format 7 5 1 HU
11. Time in years 1 2 3 4 5 Compared with IPsec Ethernet encryption with R amp S SITLine ETH reduces the TCO by 25 within 5 years Low space and energy costs The compact design low module height and different device classes make it possible to save on both installa tion space and energy The multiport device provides the functionality of up to four devices while consuming only the space and power of a single device The option to safeguard up to four physical lines with a single device is unique worldwide Lower transmissions costs than with managed IP The significantly lower overhead for Ethernet encryption and the resulting improvement in the net to gross trans port ratio reduces the transport costs for the payload Depending on the traffic profile and the selected security functions the net payload rate only drops by 0 to 13 when using Ethernet encryption By way of comparison An IPsec secured L3 VPN reduces the net payload rate by up to 60 due to the overhead In addition purchasing Ethernet as a WAN service from a carrier is usually signifi cantly more economical than for example managed IP services Low maintenance and service requirements Ethernet operates independently of the logical IP net work structures This eliminates the need for adaptations when integrating new applications changing providers or migrating to higher level network protocols e g IPv4 to IPv6 Experience has shown that the service costs for
12. el of investment protection Key facts 1 Ethernet encryptor in performance classes from 25 Mbit s to 1 Gbit s 1 Advanced cryptographic methods and standards elliptic curves AES X 509 1 Flexible deployment in both simple and complex network structures Safeguarding lines point to point star structures point to multipoint and fully meshed networks multipoint to multipoint Maximum bandwidth efficiency avoidance of overhead For Ethernet connections via landline radio relay and satellite links 1 Extremely compact design 1 HU very low specific energy consumption low total cost of ownership TCO 1 BSl approved up to German restricted VS NfD and NATO restricted R amp S SITLine ETH5O mcm W EJ Ld ROMOEA SCHWARZ ITLme ETHS H amp S9S IT LI n e ET H Secure civil official and military communications 1 Confidential communications between sites and within a single site L2 VPN Eth t F t 1 Safeguarding of radio relay and satellite links SatCom e rn e n C ry D 0 r 1 Integrity protection for public transport railway road tolls a B e n ef ts a n d 1 Secure data center interconnection secure storage area networks gt page 4 key features Hm 1 Minimum investment for installation and configuration 1 Low space and energy costs 1 Lower transmissions costs than with managed IP 1 Low maintenance and service requirements D page 6 Professional certified security 1 Secure authentication
13. gement ports as well as data ports Only the device s IP address for the SMS functions and the associated gateway address need to be entered Self organizing and self healing Only a small amount of initial configuration data needs to be transferred offline to the devices smart card token All other settings take place dynamically and securely on line The security concept also provides the flexibility to quickly replace a device e g after servicing without time consuming reconfiguration This also helps to maximize the availability of secure communications Automatic con figuration adaptation takes place continually If the man agement connection fails the R amp S SITLine ETH will auto matically search for alternative connections to the SMS Automatic setup of encrypted links The individual certificates for the devices are used to de termine which parties are authorized to set up connec tions Encrypted links can be configured without detailed network data Encrypted links are automatically set up even when the network configuration changes Each con nection with another authorized communications party is always set up as an encrypted link If it is not possible to set up an encrypted link because the agreed security pro cedure could not be completed data is blocked for this network area This eliminates the possibility of uninten tional or unnoticed communications via unencrypted links This behavior can only be modified by
14. lation of data This is especially impor tant if parts of the communications links are established over long distances as Is the case for organizations with geographically dispersed sites or for networking within a larger campus Here the flexibility and variability of the R amp S SITLine ETH are highly beneficial All of the devices are interoperable Depending on the site to be integrated the optimal device can be selected based on criteria such as the required transmission capacity the number of nec essary connections and the environmental conditions From the encryption of individual lines or applications to the safeguarding of complex structures the interoper ability allows the security solution to grow along with the network This provides long term investment protection for users Safeguarding of radio relay and satellite links SatCom Precise timely information is necessary for strategic com mand and control of armed forces Situation reports with image and video material often need to be transmitted over long distances Here radio relay and SatCom links are used to connect field units to the central unit e g control center headquarters which in many cases might even be on a different continent In order to ensure infor mation superiority the data must be completely free from any manipulation and must not fall into the hands of third parties reason enough to use strong encryption How ever the encryption must no
15. net private line EPL dedicated Ethernet line 1 Point to multipoint Ethernet virtual private line EVPL logical channels on one line With VLAN IDs from the customer network and EVPL service in the WAN VID EVPL Without VLAN IDs from the customer network and EVPL service in the WAN MAC EVPL 1 Multipoint to multipoint Ethernet LAN ELAN in the WAN MAC ELAN without VLAN IDs from the customer network Each operating mode can be used in transport mode and in tunnel mode In scenarios where two devices are directly intercon nected without a switch the R amp S SITLine ETH100 and the R amp S SITLine ETH1G can alternatively be operated in bulk mode Bulk mode encrypts all Ethernet packets including protocol information without additional overhead offer ing a higher degree of confidentiality with maximum data throughput ROHDE amp SCHWARZ SITLine ETHS0 R amp S SITLine ETH5O Rohde amp Schwarz R amp S SITLine ETH Ethernet Encryptor 7 Independent secure management The R amp S SITLine ETH combines high quality reliable protection of sensitive data with the ability to separately monitor the network structures involved in the data transfer Separation of network management and security management Due to the strict separation of the security management system SMS and the network management system NMS connection monitoring can be delegated to the network operator without compromising security The en
16. t place any additional loading on the already very narrow bandwidth of the radio relay or SatCom link Especially in scenarios with narrow bandwidth allocations the basic design concept of the R amp S SITLine ETH provides clear benefits Compared with classic IP encryption the R amp S SITLine ETH requires significantly less protocol infor mation overhead for encrypted transmissions During the entire radio relay transmission or during satellite hops the information is protected against eavesdropping and ma nipulation despite throughput limitations NS NN So CS y R amp S SITLine ETH protects communications within critical infrastructures such as public transport systems Integrity protection for public transport railway road tolls Public transport networks are managed in central control centers which are supplied with information from trans port hubs e g railway stations signal boxes that may be unattended Automation enables tighter scheduling of trains and greater punctuality However unattended trans port hubs require a higher level of protection against ma nipulation especially if they are connected to the control center over public networks In this case cryptographic functions can safeguard the integrity and confidentiality of the transmitted data Special R amp S SITLine ETH models are available for use in more challenging environments e g extended temperature range installation
17. the security officer by actively setting up an exception rule Rohde amp Schwarz R amp S SITLine ETH Ethernet Encryptor 9 Specifications in brief Specifications in brief Ethernet ports Number of lines per device Connector transceiver Performance throughput per line Number of links Supported Ethernet services ERS Ethernet link encryptor Ethernet dedicated line EVPL VLAN based encryption MAC EVPL MAC address based encryption MAC ELAN MAC address based encryption via port based E LAN Cryptography and security Transport tunnel mode Bulk mode back to back Asymmetric Key agreement Digital signature Authentication Symmetric External emergency erasure Emergency erasure after loss of power Management system Standard port for management system Separate port for R amp S SITScope ETH security management Network management Security management Approvals certifications BSI EANTC Key generation TRNG CE approval General data Operating temperature range Storage temperature range not initialized MTBF Power supply Dimensions and weight Form factor Dimensions W x H x D Weight Shipping weight 10 R amp S SITLine ETH1G 1 optical electrical exchangeable SFP 1 Gbit s 4000 R amp S SITLine ETH100 1 20r4 electrical replaceable SFP 100 Mbit s 4000 257 bit ECC key roughly corresponds to 3200 bit RSA key Diffie Hellman DH ECKAS protocol ECDSA X
18. with top hat rail DIN rail external emergency erasure Secure data center interconnection secure storage area networks Central data centers in a corporation typically have a re dundant design The centers must be securely intercon nected via high performance lines The state of the art transmission technology for this application are Ethernet services with a transmission capacity of at least 100 Mbit s and typically several Gbit s The R amp S SITLine ETH can be scaled for connections in the Mbit s and Gbit s range The R amp S SITLine ETH multiport model can also be used to efficiently safeguard dedicated Ethernet lines that are connected in parallel Rohde amp Schwarz R amp S SITLine ETH Ethernet Encryptor 5 Low system costs Compared with other communications and security solutions Ethernet carrier services protected by the R amp S SITLine ETH have the dual benefits of higher security and lower operating costs Minimal investment for installation and configuration The R amp S SITLine ETH integrates into a network in a fully transparent manner Except for the security parameters no other network specific configuration steps are required Ethernet is a plug amp play technology and therefore requires almost no configuration effort This saves installation time and expense Low system costs A Transmission costs L3 encryption jm Transmission costs Ethernet encryption Costs gt
Download Pdf Manuals
Related Search