Centralized Management
TCC's DSD 72B-SP and DSD 72A-SP (STM) SONET/SDH encryption family are centrally deployed, configured and managed by TCC's advanced online KEYNET Optical Manager for network encryption and secure communications. Multiple layers of protection secure keys at every point in their life cycle without human intervention.
DSD 72B-SP Optical Encryption
The DSD 72B-SP SONET/SDH interoperable encryption family is available in rugged industrial, military and industrial variants. It provides strategic-level path encryption and secure communications of voice, data and video transmitted over fiber optic networks. Protocol agnostic and with automated KEYNET key and device management, DSD 72B-SP SONET/SDH encryption is a cost-effective, secure communications solution for global mission-critical networks.
Device and Key Management
KEYNET provides user-authenticated, role-based secure device management, as well as path configuration and monitoring that supports network policies (blocked, plain, secure). With an intuitive user interface and automated polls, alarms and logs, a network expert is not needed for trusted key and device management of a large network.
KEYNET provides end-user control over secret key generation functions and ensures that all virtual container (VC) data is processed in the assigned mode (secured, plain, blocked, unequipped, etc.). It also ensures that changes to VC endpoints (container re-routings) are efficiently managed. KEYNET's auditing of individual DSD 72B-SP SONET/SDH encrytion devices allows role-based, authenticated users to confirm the configuration of all DSD 72B-SP SONET/SDH encryption devices, perform remote diagnostics, and manage each device’s moment-to-moment virtual, logical connections.
Multiple Layers of Protection
KEYNET Optical Manager is comprised of an MS Windows® 7 based 19" rack mounted computer and an attached TCC Security Vault. The Security Vault communicates with its server via a dedicated Ethernet connection. The computer hosts the KEYNET server application (KSA) service. A KEYNET Local Client (KLC) application is also hosted on the computer, and communicates with the embedded KSA service. Using the KLC, the user logs onto and authenticates with the KSA. The server also securely communicates with each fielded DSD 72B-SP SONET/SDH encryptor over an IP network (e.g., the Internet, or private IP data network). KEYNET Lite-Optical is available for small networks.
SONET/SDH Encryption KEYNET Management Features
Key Management Functionality
- Scheduled key updates
- Whenever required (on-demand)
- Reassignment of fiber segments
- Reroute of Virtual Containers (VCs)
- Restoration due to fiber outages
High-Level Security
Data Encryption Algorithm: AES-256
- Trusted secret key infrastructure
- All keys encrypted by Security Vault
- All management messages to / from KEYNET are encrypted
- All security relevant activities logged
- Logs retrieved by KEYNET
- Tamper-resistant enclosure; keys erased when enclosur
Device Management Functionality
- Dynamically reassign VCs
- Set security levels of individual VCs
- Cipher / Block / Plain / Forced Plain
- Unassigned / Unequipped
- Monitor critical functions
- Per user-defined polling intervals
- Retrieve security events (audits)
- Monitor device logistical status
- Record asynchronous events / traps
- Health of virtual containers
- Section and path overhead data
- Inter-device communications links
- Set path overhead IDCL channel(s)
KEYNET Optical Manager Specifications
KEYNET messages sent over IP data network (e.g., Internet)
- AES-256 encrypted device management messaging
- via SNMP (IPv4) MIB messages
- AES-256 encrypted key management messaging
- via ANSI-defined Key Service Messages (KSMs)
Management of Two
Independent Network
Interfaces
External network interface to each DSD 72B-SP device
- Internet Protocol (IP) over Ethernet physical layer
Security Vault interface (Server PC to Security Vault)
- Dedicated IP over Ethernet interface
Remote polling of each DSD 72B-SP Device
- Retrieves up-to-date device status information
- Retrieves audit reports (Security; Operations; Logistics)
Initial Master Key Encrypting Key (MKEK) generation
Manual MKEK distribution (to each DSD 72B-SP)
Electronic distribution of required keys to each DSD 72B-SP
AES-256 MKEK-encrypted key distribution messages
KEYNET Network
Management
Virtual Container configurations (network topology set-up)
Virtual Container rerouting (performed on-demand)
- Sends PKEK / PMAK key pairs prior to rerout execution
100VAC to 240VAC / 50Hz or 60Hz
Optional Uninterruptible Power Supply (Recommended)
KEYNET Server
Personal Computer: