Thales Expands its Multipoint Offering and adds MPLS–awareness Capability to its Layer 2 Ethernet Encryptor Family

Thales, leader in information systems and communications security, announces that its entire line of Datacryptor Ethernet Layer 2 network encryptors now have the capability to operate in multipoint meshed environments and support encrypted connections over end-to-end Multi Protocol Label Switching (MPLS) networks.

The hardware-based, stand-alone security platforms deliver full duplex point-to- point and fully-meshed multipoint encryption of sensitive data over Ethernet collision domains. The 100 Mbps, 1 Gbps, and 10 Gbps models secure the confidentiality and integrity of sensitive and high-value data, voice, and video by protecting broadcast and multicast connections, addressing the market's need for high-speed security over wide area networks. “The explosive growth in the volume of data used to carry out day-to-day business and the growing distributed operational environment are making organizations today more vulnerable than ever to data breaches that can have profound effects on their operation bottom-line and reputation.

As a result, protecting the confidentiality and integrity of data where it is most vulnerable – in transit – has become paramount. Government and enterprise customers looking for a secure and cost-effective way of handling their data transport needs are turning to Ethernet Layer 2 encryption. Yielding minimum overhead and latency, the technology saves customers bandwidth cost and does not affect operational performance” says Franck Greverie, Thales Vice President in charge of information technology security activities. “Thales is dedicated to finding solutions to customer problems, and the introduction of a complete line of Layer 2 Ethernet encryptors addressing multipoint and MPLS applications offer unprecedented advantages allowing customers to better utilize their data transport infrastructure in a cost-effective and secure manner.”

Datacryptor recently received the Editor’s Choice Award from Military Embedded Systems for the security, compatibility and performance it provides commercial and government applications.

Notes to editors
The Information Technology Security activities of ThalesThales is a leading global provider of data encryption solutions to the financial services, high technology manufacturing, government and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and they secure more than 70 percent of worldwide payment transactions.

Read more »

Thales nShield Connect

Thales nShield Connect, part of the nCipher product line, is a network-attached, general-purpose hardware security module (HSM) that protects up to 100 clients by safeguarding their encryption and digital signing keys and processing sensitive data on the trusted appliance.

nShield Connect enables enterprises to add hardware protection to critical applications such as public key infrastructures (PKIs), databases, web and application servers. Using standard cryptographic interfaces, nShield Connect integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security Manager, RSA Certificate Manager, Oracle Database, Microsoft SQL Server, and many other applications. Its unique dual, hot-swap power supplies and redundant, field-replaceable fans make nShield Connect fault tolerant. Providing high availability, scalability and remote management, it enables organizations to build reliable, future-proof cryptographic services.

Its security boundary is validated for FIPS 140-2 Level 3 and Common Criteria EAL4+.
nShield Connect replaces netHSM, the previous model of network-attached HSMs from the nCipher product line.

BENEFITS : BENEFITS

• Enhances security for critical applications
• Reduces cost of compliance
• Simplifies encryption and signing key management
• CodeSafe option enables secure execution of custom applications within the security boundary to protect data in use
• Helps ensure business continuity and minimize downtime with unique dual, hot-swap power supplies and redundant, field-serviceable fans
• Compatible with nShield Solo and netHSM
• Offers exceptional scalability with unsurpassed performance for up to 100 clients
• Delivers FIPS and Common Criteria

 

FEATURES:

Hardware security for applications nShield Connect enables enterprises to add hardware protection to critical applications such as public key infrastructures (PKIs), databases, web and application servers. Using standard cryptographic interfaces, nShield Connect integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security Manager, RSA Certificate Manager, Oracle Database, Microsoft SQL Server, and many other applications.
nShield Connect features tamper-responsive, rack-mountable hardware, which generates application keys in independently certified, secure hardware boundary. The CodeSafe option enables secure execution of custom applications within the security boundary to protect data in use against insider and Trojan attacks.

High availability features to ensure business continuityDesigned for business continuity, nShield Connect is the world’s only general-purpose HSM with dual, hot-swap power supplies. This enables organizations to connect the HSM to two power sources, safeguarding against the possibility of a blackout of one source. The power supplies can be replaced one at a time without having to power down the unit, in other words without using downtime. Because the power supplies are field-replaceable, operators can replace them on site rather than sending them to a service center.


nShield Connect features redundant fans. Should one of the fans fail, the remaining fans still provide enough cooling for the appliance. The fan tray can be replaced on-site during scheduled maintenance hours, minimizing impact on the business and without having to send the unit to a service center. To further increase availability, several HSMs can be clustered and load balanced. SNMP support enables remote monitoring of power supplies, temperature, fan speeds, and other parameters.


Remote management reduces costsIn situations where nShield Solo or nShield Connect HSMs are deployed at a remote site or in a lights-out data center, Remote Operator can be used with an nShield Solo card in the operator's machine to remotely provide credentials. This accelerates security administration and reduces travel costs.

Security World management lowers TCO The Security World management software centrally manages nShield Connect, nShield Solo and netHSM to reduce setup and administration time. Security World securely supports remote operation of HSMs in lights-out data centers, disaster recovery even for total hardware replacements, and key sharing across HSMs and geographies. Keys and meta information can be automatically backed up without requiring additional hardware as the system, reducing the total cost of operations.
The operational and cost advantages of Security World become apparent when contrasting it with the approach of legacy HSMs which are still widely used:

<><><><>

Legacy HSM approach		Thales Security World
Expensive backup on custom hardware Backup requires manual, physical operation Storage is very limited and requires custom hardware for upgrade Outdated security approach makes operations cumbersome and expensive		Cost-effective backup on file server Backup can be automated, reducing the cost of operations Clustering made easy by flexible approach Same level of security, more flexibility, and easier operations

Premium performance avoids bottlenecks To provide services for up to 100 clients, nShield Connect offers hardware acceleration for cryptographic operations, making it the world’s fastest network-attached HSMs with up to 6,000 signing transactions per second (TPS) with 1,024 RSA keys. Using RSA 2,048 bit keys, which the National Institute of Standards and Technology (NIST) recommends from 2010, nShield Connect excels at up to 3,000. Web servers, such as Microsoft IIS and Apache, can increase SSL throughput by off-loading handshakes operations to the HSM. Two Gigabit Ethernet ports enable the HSM to service two network segments.
Elliptic curve cryptography is becoming increasingly popular. nShield Connect modules can process elliptic curves inside the HSM, which requires the Elliptic Curve (ECC) Activation.

Readily integrates with third-party applications
nShield Connect integrates with applications through standard interfaces including PKCS#11, Java Cryptography Extension (JCE), Microsoft CAPI and CNG.

nShield Connect is compatible with other nShield Solo and netHSM modules and can be upgraded to support additional features using various option packs. nShield Connect supports a broad range of operating systems, including Windows 2008 R2/2008/2003/Vista/XP, Linux Solaris, AIX and HPUX. nShield Connect also supports these operating systems on virtual servers.

nToken delivers Hardware HSM client authentication For organizations that wish to enhance security for their HSM clients, nTokens are PCI or PCI Express cards that enable strong authentication for nShield Connect clients, ensuring that servers cannot be impersonated.

CodeSafe protects data in hostile environments
All HSMs can protect key material against breaches, but most cannot actually protect your valuable data while it is in use. Data breaches have shown that Trojans or rogue administrators still have access to sensitive information on the host system after it has been decrypted by the HSM. The Thales CodeSafe technology enables you to process sensitive information inside the HSM so that it is never exposed on the host system. This enables you to run critical processes in hostile environments, for example:

• Where facilities cannot be physically secured
• Where you need to protect against rogue individuals with access to the host system
• Where host systems may be hacked or become infected by Trojans 

Thales offers off-the-shelf CodeSafe applications as well as CodeSafe Developer Software to create custom applications.

Cryptography and compliance
nShield Connect supports a broad range of public-key and symmetric algorithms, including a full Suite B implementation with optional, fully licensed elliptic curve cryptography (ECC). nShield Connect's security boundary is validated to FIPS 140-2 Level 3 and Common Criteria EAL 4+. Following security best practice and to enable compliance, it separates administrative and operational duties with two-factor authentication and dual control. These operator groups can segregate access to keys by application, role, division, or geography.

Integrated services
Thales offers professional services to ensure a best practice implementation of Thales HSMs. Organizations can benefit from developer support to integrate Thales HSMs with custom applications or to develop custom applications to be executed on the HSM to process sensitive data.

SPECIFICATIONS: 

Model overview nShield Connect is available in several different variants:

<><>

Part Code	Model	Power Supplies	Bundled # Client Licenses	Max # Client Licenses	Front Panel
NH2033	nShield Connect 500; F3; SEE Ready (no nTokens)	2	3	10	Black
BN2033	nShield Connect 500; F3; SEE Ready (3 nToken PCI)	2	3	10	Black
BN2033-E	nShield Connect 500; F3; SEE Ready (3 nToken PCIe)	2	3	10	Black
NH2040	nShield Connect 1500; F3; SEE Ready (no nTokens)	2	3	20	Black
BN2040	nShield Connect 1500; F3; SEE Ready (3 nToken PCI)	2	3	20	Black
BN2040-E	nShield Connect 1500; F3; SEE Ready (3 nToken PCIe)	2	3	20	Black
NH2047	nShield Connect 6000; F3; SEE Ready (no nTokens)	2	3	100	Silver
BN2047	nShield Connect 6000; F3; SEE Ready (3 nToken PCI)	2	3	100	Silver
BN2047-E	nShield Connect 6000; F3; SEE Ready (3 nToken PCIe)	2	3	100	Silver

All nShield Connect variants are CodeSafe-ready and validated for FIPS 140-2 Level 3 as well as Common Criteria EAL4+. Each module is shipped with 3 bundled client licenses.
Performance Performance numbers are provided in signing transactions per second (TPS).

<><>

Part Code	Model	TPS @ RSA 1,024 bit	TPS @ RSA 2,048 bit	TPS @ RSA 4,096 bit
NH2033	nShield Connect 500; F3; SEE Ready (no nTokens)	500	150	65
BN2033	nShield Connect 500; F3; SEE Ready (3 nToken PCI)	500	150	65
BN2033-E	nShield Connect 500; F3; SEE Ready (3 nToken PCIe)	500	150	65
NH2040	nShield Connect 1500; F3; SEE Ready (no nTokens)	1,500	500	150
BN2040	nShield Connect 1500; F3; SEE Ready (3 nToken PCI)	1,500	500	150
BN2040-E	nShield Connect 1500; F3; SEE Ready (3 nToken PCIe)	1,500	500	150
NH2047	nShield Connect 6000; F3; SEE Ready (no nTokens)	6,000	3,000	500
BN2047	nShield Connect 6000; F3; SEE Ready (3 nToken PCI)	6,000	3,000	500
BN2047-E	nShield Connect 6000; F3; SEE Ready (3 nToken PCIe)	6,000	3,000	500

Performance may vary depending on operating system, application, network topology, and other factors.

Physical specifications

• Physical dimensions: 19” rack unit, 1U, 705mm depth  (43.4 x 430 x 705 mm)
• Unpackaged weight: 11.5 Kg
• Packaged dimensions: 190 x 590 x 890 mm
• Packaged weight: 19.5 Kg
• Power consumption: up to 1.2A at 110V AC 60Hz or 0.6A at 220V AC 50Hz
• Input voltage: 100-240V AC auto switching 50-60 Hz (nominal)

Operating temperatures

• Normal range: 10 to 35 C
• Operating range: 5 to 40 C
• Storage range: -20 to 70 C

Humidity

• Operating range: 10 to 90 % (relative, non-condensing at 35%)
• Storage range: 0 to 85 % (relative, non-condensing at 35%)

Front 
 

• Touch wheel
• Smart card reader
• Vents with easy access to field-replaceable, redundant fans
• USB connector for keyboard
• Color LCD
• Power button
• Clear button
• Warning LED

Back
 

• Dual, hot-swap power supplies, each with IEC 320 mains socket & rocker switch 
• Mains cable retaining bracket, supplied with cable retainers
• 2x 1 Gigabit Ethernet ports

Hardware Options

• nToken
• Slide rails (sold as pair)
• Smart cards for administrators and operators (15 cards sold as standard with each unit)
• External USB keyboard

Optional features

• CipherTools - Developer Software to integrate with applications
• CodeSafe - Process sensitive data in custom applications on the HSM
• Database Security Option Pack - Manage keys for Microsoft SQL Server encryption
• payShield Cardholder Authentication for nShield - Add cardholder authentication functionality to the HSM
• Remote Operator - Remotely manage the HSM
• Elliptic Curve (ECC) Activation - Activate elliptic curve cryptography on the HSM
• KCDSA Activation - Activate the Korean Certificate-based Digital Signature Algorithm on the HSM

Spare parts (not included)

• Hot-swap power supply
• Field-replaceable tray with redundant fans

Algorithms

• Public key algorithms: RSA, Diffie-Hellman, DSA, El-Gamal, KCDSA, ECDSA, ECDH
• Symmetric algorithms: AES, ARIA, Camellia, CAST, DES, RIPEMD160 HMAC, SEED, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, Triple DES

Platforms

• Windows 2008 R2/2008/2003/Vista/XP
• Solaris
• HP-UX
• AIX
• Linux

Application interfaces

• PKCS #11
• Microsoft CryptoAPI / CNG
• Java JCE
• OpenSSL
• nCore

Certifications

• FIPS 140-2 Level 3
• Common Criteria EAL4+
• Information on RoHS compliance

Read more »

Posted on Friday, November 19th, 2010 | Bookmark on del.icio.us

China Hijacks 15% of Internet Traffic?

by Craig Labovitz

On Wednesday, the US China Economic and Security Review Commission released a wide-ranging report on China trade, capital markets, human rights, WTO compliance, and other topics. If you have time to spare, here is a link to the 324 page report.
Tucked away in the hundreds of pages of China analysis is a section on the Chinese Internet, including the well-documented April 8, 2010 BGP hijack of several thousand routes (starting on page 244).
To review, shortly around 4am GMT on April 8th a Chinese Internet provider announced 40,000 routes belonging to other ISPs / enterprises around the world (though many were for China based companies). During a subsequent roughly 15 minute window, a small percentage of Internet providers around the world redirected traffic for a small percentage of these routes to Chinese address space. RIPE provides a link to a list of some of these prefixes (as well as indicating the impact on European carriers was minimal) and Andree Toonk and his colleagues at BGPmon have a nice synopsis at the BGPMon blog.
Following shortly on the heels of the China hijack of DNS addresses in March, the April BGP incident generated a significant amount of discussion in the Internet engineering community.



Any corruption of DNS or global routing data (whatever the motive) is a cause of significant concern and reiterates the need for routing and DNS security. But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and technical realities.
So, it was with a bit of a surprise that I watched an alarmed Wolf Blitzer report on prime time CNN about the China hijack of “15% of the Internet” last night. A bit less diplomatic, a discussion thread on the North American Network Operator Group (NANOG) mailing list called media reports an exaggeration or “complete FUD”. Also on the NANOG mailing list, Bob Poortinga writes “This article … is full of false data. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted.”
If you read the USCESRC report, the committee only claims China hijacked “massive volumes” of Internet traffic but never get as specific as an exact percentage. The relevant excerpt from the report below:


The USCESRC cites the BGPMon blog as the source of data on “massive traffic volumes”. But curiously, the BGPMon blog makes no reference to traffic — only the number of routes.
You have to go to a National Defense interview with Dmitri Alperovitch, vice president of threat research at McAfee, to first come up with the 15% number. Several hundred media outlets, including CNN, the Wall Street Journal, Time Magazine and many more picked up this interview and eagerly reported on China’s hijack of “massive Internet traffic volumes of 15% or more”.
Now certainly, diverting 15% of the Internet even for just 15 minutes would be a major event. But as earlier analysis by Internet researchers suggested, this hijack had limited impact on the Internet routing infrastructure — most of the Internet ignored the hijack for various technical reasons.
And indeed, ATLAS data from 80 carriers around the world graphed below shows little statistically significant increase due to the hijack on April 8, 2010. I highlight April 8th in yellow and each bar shows the maximum five minute traffic volume observed each day in April going to the Chinese provider at the center of the route hijack.



While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), I’d estimate diverted traffic never topped a handful of Gbps. And in an Internet quickly approaching 80-100 Tbps, 1-3 Gbps of traffic is far from 15% (it is much closer to 0.015%).
In fairness, I should note that I don’t know how Mr. Alperovitch obtained his 15% number (the article does not say) and a hijack of 40k routes out of a default-free table of ~340K is not far from fifteen percent. But of course, routes are different from traffic. I also add that both China denied the hijack and some Internet researchers suspect the incident was likely accidental.
The global BGP Internet routing system is incredibly insecure. Fifteen years ago, I wrote a PhD thesis (link available here) using experiments in part capitalizing on the lack of routing security. My research injected hundreds of thousands fake routes (harmless!) into the Internet and redirected test traffic over the course of two years. A decade or more later, none of the many BGP security proposals have seen significant adoption due to a lack of market incentives and non-legitimate routes still regularly get announced and propagated by accident or otherwise. Overall, the Internet routing system still relies primarily on trust (or “routing by rumor” if you are more cynical).
We need to fix Internet infrastructure security, but we also need to be precise in our analysis of the problems.
UPDATE: Additional discussion and statistics on the incident are now available in a follow-up blog at http://asert.arbornetworks.com/2010/11/additional-discussion-of-the-april-china-bgp-hijack-incident.
- Craig

Read more »

Information Security Presales Engineer

Probil Bilgi Guvenligi Cozumleri Presales ekibine asagidaki 4 cozum grubunun herbiri icin yeni arkadaslar aramaktayiz. Ilgilenecek arkadaslar (bulent.buyukkahraman@probil.com.tr) adresine guncel ozgecmislerini gonderebilirler.

* Group 1: Anomaly Detection and Mitigation,  WAN Optimization Controller,  Deep Packet Inspection,  Network & Wireless IPS,  Network Access Control,  Integrated Router Switch Security

* Group 2: Enterprise Network Firewall,  Secure E-Mail Gateway,  Secure Web Gateway,  SMB Multifunction Firewalls (UTM),  Data Loss Prevention,  SSL VPN

* Group 3: Database Security,  Identity and Access Management,  Storage Security,  Hardware Security Module,  Public Key Infrastructure, Endpoint & Mobile Data Protection

* Group 4: Web Application Firewall, Application Delivery Controller, Web Fraud Detection,  Security Information Event Management, Disaster Recovery Solutions,  Virtualization Security

Read more »

Arbor Peakflow 5.5 release for SP and TMS

Arbor Networks is pleased to announce the general availability of the Arbor Peakflow 5.5 release for SP and TMS. This new release augmentsthe industry's leading network-wide infrastructure security and traffic-monitoring platform.

In this release Arbor addresses the number one threat to the adoption of cloud computing today, the availability of services and data, by introducing a standalone version of its Threat Management System (TMS). Until now, Peakflow SP and TMS have been tightly integrated, delivering a unique combination of visibility and real-time attack mitigation. Peakflow TMS is now a standalone appliance purpose-built for rapid deployment and surgical mitigation of DDoS attacks targeting Hosting and Internet Data Center (IDC) infrastructure and customers.

The Peakflow V5.5 release is a feature release that incorporates updates for solving field issues found in previous SP and TMS releases plus many new capabilities and reporting features, including geography-based IP alerting and mitigation when traffic spikes come from unexpected countries, quickly alerting customers to potentially malicious traffic and giving them the ability to block or rate-limit the unexpected traffic. Peakflow SP 5.5's IPv6 Border Gateway Protocol (BGP) capabilities deliver enhanced visibility and security as customers transition to the IPv6 protocol. Finally, Peakflow SP 5.5 includes new reporting features on infected host detection and reporting, providing security teams with macro visibility into threats across the network. Lastly, the release introduces support for 4-byte Autonomous Systems Numbers (ASNs).

Read more »