Enigmätron, High-Security Data Encryption Equipment

Description

Valiant’s Enigmätron is a high-security data encryption device that provides data encryption, including Ethernet frame encryption for Layer 2 networks, IP packet encryption for Layer 3 networks, and Layer 4 data payload encryption for IP and MPLS networks. The Enigmätron offers full-duplex encryption at speeds up to 12 MBits/s @ AES-256 algorithm, using TLS and SHA-1 for secure communication authentication.

Valiant’s Enigmätron is an easy-to-use encryption device with extremely advanced firewall features that may be installed to secure RTUs, SCADA Terminals, Smart Grid distribution systems. The Enigmätron may also be installed in centrally managed encryption networks consisting of multiple branch offices edge installations to secure installation such as Point-Of-Sale Terminals, ATM Networks.

Data Sheet Enigmatron

Power Point Presentation (PPS)

The Enigmätron also includes a 4 port integrated Ethernet switch which allows a connection of up to 4 Terminals, such as RTUs etc. thereby reducing the cost by avoiding the need to deploy additional Ethernet switches at the network edge.

Enigmätron

The Enigmätron uses Broadcast Encryption technology to provide scalable encryption Broadcast encryption enables encrypted message transmission to various local/remote clients having different keys.

Access to Enigmätron is password protected with advanced firewall capabilities that meet and exceed NERC as well as all mandatory requirements of Password Protection and Control as provided in the GR-815-CORE-2 specifications. Enigmätron can optionally be managed centrally from a RADIUS Server to provide enhanced levels of access security and central password management and control.

Features and Highlights

  • Encrypted throughput up to 12 Mbps
  • Per-frame/packet authentication
  • Firewall
  • White List and Black List options
  • Automatic key rotation option
  • Seamless scalability
  • Infrastructure neutral
  • Transparent to network and applications
  • Easy installation and management

Applications

  • Utilities Oil & Gas production, pipelines, electric generation, transmission and distribution
  • Remote node on SCADA multi-drop networks
  • Law Enforcement
  • Retail Stores, Point-of-Sale terminals, Credit Card machines
  • Financial institutions, corporate links, branch offices, ATM machines
  • VLAN Supports multiple VLANs through an external IP network
  • Supports voice and video over public and/or private networks
  • For home use, hotels and secured applications over unsecured public transmission networks

Comprehensive Data Protection

  • IPsec site-to-site networks
  • MPLS meshed networks
  • Metro Ethernet and VPLS networks
  • Voice and video over IP applications

Performance

  • Encrypted throughput: 12 Mbps - bidirectional.
  • Encrypted latency: <4 ms* per hop
    *Measured with 512 byte packets with L3 encryption enabled. Latency may vary with packet size.

Encryption and Secure Communication Protocols

  • Encryption: 128-AES, 192-AES and 256-AES
  • IPSec (RFC 2401) for Layer 3 Encryption
  • Authentication (Message Integrity): HMAC-SHA (FIPS PUB 180-4)
  • Signature generation and verification: RSASSA-PSS, RSASSA-PKCS v1.5, X.509v3, DSAFIPS 186-2
  • Management session authentication: RSA, ECDSA, DSS
  • Security Key Exchange: Manual, or Automatic (programmed interval key rotation)
  • Group keying with SSL/TLS (bilateral authentication) based on certificates
  • X.509v3 Certificates
  • Certificate revocation: OCSP (RFC 2560), CRL (RFC 5280).

Firewall and Security:

  • Secure Boot
  • Firewall Security:
    • Exclusion Policy -Access Control based on Black List
    • Inclusion Policy - Access Control based upon White List IP addresses, MAC address and IP Domain
  • Continuous monitoring of the TLS connection to nullify MitM attacks
  • Resistance to Denial of Service Attack
  • Encrypted Firmware Updates
  • Non-volatile Access Log with capability to "fingerprint" all successful and failed log-in attempts and keep a log of the IP and MAC addresses of all successful and failed logins / login attempts
  • SNMP trap generation, along with alarm and LED indication to notify SecureLink modification
  • Password Protection with password strength monitor
  • RADIUS Password Authentication
  • SSH (Secure Access Control) with encrypted Password Protection

Network Support:

  • Ethernet
  • VLAN tag preservation
  • MPLS tag preservation
  • IPv4
  • IPv6 (Layer 2 Ethernet encryption mode)
  • Secure NTP

Interface

  • Four 10/100 RJ45 locally switched network interfaces to the local (trusted) network
  • One 10/100/1000 RJ45 network interface to the remote (untrusted) network
  • Integrated four-port Ethernet switch
  • Auto MDI/X (straight or crossover Ethernet cable correction)
  • USB serial port for local access and configuration.

Policy Selector Options:

  • Source or destination IP address
  • Source or destination port number
  • Protocol ID (L3 and L4 options)
  • VLAN ID (L2 option)

Device Management and Alarm Monitoring:

  • Command Line Interface - Telnet, SSH
  • SNMPv2 Alarm Monitoring
  • Alarm condition detection and reporting (traps and SNMP alarm table)
  • Syslog
  • Audit Log

Indicators:

  • System Status LED (Encryption On/ Off Status)
  • Power LED

Environmental:

  • Operational: Temperature -20C to +60C (-4F to 140F)
  • Humidity: Up to 95% R.H. (Non-condensing at 50C)
  • Cold start: temperature -10C
  • Maximum Operational Humidity: 95% R.H. (Non-condensing)

Regulatory:

  • Emissions: As per CISPR 22 / EN55022 Class A
  • CE and FCC: Part 15 Subpart A
  • Immunity: EN55024, EN61000