Highly Configurable Ethernet-Security Integration Solution
Meeting the Demand for Secure Networking Equipment Using MACsec
In today’s Enterprise, network security is a top priority, driven by the need to prevent costly data breaches and to meet compliance requirements such as PCI,HIPPA,and Sarbanes-Oxley. Due to these requirements, Enterprise networks now need to be secured to prevent data leakage within the physical network infrastructure of routers, bridges and switches; across a range of connected devices, such as IP phones, and printers. Delivering products with this level of security can be a challenge for vendors, who often lack the knowledge and expertise in cryptography and standards necessary to meet these stringent requirements in a timely manner.
To meet this need, INSIDE Secure provides a complete solution through its MACsec software toolkit and family of SafeXcel Hardware IP MACsec Security Engines. The MACsec toolkit supports rapid MACsec integration by device manufacturers that build IP phones, switches, bridges, and routers for Layer 2 LAN and Metro Ethernet communications. Leading vendors of Ethernet switch fabric and PHY devices use SafeXcel Hardware IP engines to reach speeds up to 100 Gbps. When built into the same platform, this hardware/software combination provides a complete and standard compliant MACsec solution, which ensures auditable compliance while reducing development cost and time to market.
MACsec for High Performance Layer 2 Security
IPsec and SSL VPNs are ideal security solutions for addressing the remote access demands associated with mobile networking. The emergence of high-speed LAN and MAN networks have driven the demand for Layer 2 security solutions that support high-performance, low latency, and simple key management functions while addressing compliance requirements.
Media Access Controller (MAC) security standard (known as MACsec) specifies how all or part of a LAN network can be transparently secured. MAC Security provides connectionless user data confidentiality, frame data integrity, and data origin authenticity.
The MACsec security architecture specifies two main components:
- A control plane defined in 802.1X-2010 (formerly 802.1X-REV), which provides an authenticated key agreement protocol (MKA), EAPOL a protocol to carry EAP over LAN and an announcement protocol.
- A data plane protocol defined in 802.1AE, which protects frames transmitted on the LAN.
- Both of which need to be secured based on an understanding of the relevant standards and cryptography required to properly address this.
A Complete MAC Security Solution for IEEE 802.1x -2010 and 802.1AE
INSIDE’s MACsec Toolkit is highly portable, well documented and commented ANSI C source code suitable for a wide range of platforms and enables developers to embed MACsec capabilities into new and existing products. It offers a complete functional software implementation allowing you to test, simulate, and prototype your solutions early (even before the actual hardware is taped off) and speed time to market, with less development cost, while significantly reducing risk.
The MACsec Toolkit implements all the functionalities defined in IEEE standards 802.1AE, and 802.1X-2010. In particular, it supports MKA, Network Announcements, EAPOL, PACP logic, Virtual ports, Extended sequence numbers and AES-GCM-256. In addition, it reuses proven components from the QuickSec® IPsec toolkit such as EAP, TLS RADIUS client, certificate manager, and cryptographic libraries.
Reducing Development Costs and Time to Market.
MACsec Toolkit has been designed to easily integrate with an existing product. In particular both the 802.1X-2010 and the 802.1AE specifications are implemented within their own modules with well-defined APIs.
A typical switch manufacturer may only integrate the 802.1X-2010 Port Access Entity module with its existing switch software architecture and interface using the MACsec LMI API to its hardware implementation of MACsec data plane (e.g. INSIDE EIP-160). This integration has a low footprint and deterministic memory allocation.
A typical host such as an IP phone has low data throughput requirements. It should then integrate both the 802.1X-2010 Port Access Entity module and the 802.1AE SoftSec module. The SoftSec module may use a hardware implementation of AES-GCM (e.g. INSIDE EIP-38 AES-GCM IP core) through SoftSec Crypto API.
Pre-Integrated Hardware and Software Support for High Speed Scaling
The MACsec toolkit includes an optimized software implementation of AES-GCM and 802.1AE transforms. It provides a well- defined API for interfacing between the hardware and software components, allowing for simple integration with third party hardware. The MACsec toolkit is straight-forward to integrate with Inside’s SafeXcel-IP cores including the EIP-38 AES-GCM IP core, the EIP-60 inline MACsec frame engine, and the EIP-160 flow through MACsec security engine. The solution supports low latency cut through modes and speeds scaling beyond 100Gbps.
Conform to the Latest Standards and Future-Proof your Products
Following the QuickSec® family tradition, the MACsec toolkit is highly interoperable and provides the latest security functionality defined in IEEE standards 802.1X, 802.1AE, and 802.1X-2010. The enduring INSIDE commitment to the security market and its standardization assure that the QuickSec® products stay current with these complex and evolving standards. Inside’s experience and participation in the field of security protocol standardization (e.g. IETF, IEEE and other organizations) guarantees that our customers always have a head-start on changing and emerging security standards.