Protecting data-in-motion from unauthorized access
Protecting Data-in-Motion
Data-in-motion, also called data-in-transit, refers to digital information when transferring between network system nodes. Once the data is stored on a hard drive or network attached storage (NAS), it is considered data-at-rest. Equipping your military system with capable technology and protecting sensitive data from external threats is a top priority for system integrators and operators. Data can be exposed to risks both while in motion and at rest and requires protection in both states. To this end, encryption is key to maintaining the data’s integrity throughout its intended course. Multiple standards-compliant systems that ensure the security of sensitive and classified data are available in layered encryption of hardware, software, or a mix of both for system integrators to choose from.
Security of Data-in-Motion
Data-in-motion, also referred to as data-in-transit, is the digital information transferred between locations either within or between network computer systems. This white paper highlights how innovative commercial security standards and technologies can help protect data-in-motion.
Protecting Wired Data-in-Motion
As a solution technology integrator (STI) for Cisco Systems, Curtiss-Wright integrates Cisco’s ESS-3300 embedded switch and ESR-6300 embedded router cards into rugged systems for military use cases. These Cisco technologies have undergone rigorous testing and obtained certifications, including FIPS 140-2, Common Criteria, and approval as CSfC components. These Cisco technologies are based on enterprise-grade Cisco IOS-XE software, which provides network security features that ensure highly secure voice, video, and data communication. In addition, IOS-XE has been validated on many other Cisco products for both Common Criteria and CSfC.
Switching solutions featuring CSfC-approved Cisco ESS-3300
|
|
For Layer 2 (LAN) Ethernet switch traffic data-in-motion security using MACSec, Curtiss-Wright’s Parvus® DuraNET® 3300, the PacStar 444 Small GigE Switch, and the PacStar 446 Large GigE Switch package Cisco’s ESS-3300 technology in small form factor (SFF) chassis that combines mechanical ruggedness with Cisco’s high-performance IP networking capabilities. Both the Parvus and PacStar solutions use the same Cisco technology; they are packaged in different ways with different connector types, different levels of ruggedness, etc. With Cisco Network Essentials or Network Advantage IOS-XE software licenses options, the units can support managed Layer 2 switching and Layer 3 dynamic routing with a comprehensive set of secure network services. |
|
Routing Solution featuring CSfC-Approved Cisco ESR-6300
|
|
To secure data-in-motion for Layer 3 Wide Area Network (WAN) data, Curtiss-Wright’s Parvus DuraMAR® 6300 and the PacStar 447 Small Router Module with Cisco ESR 6300 integrate Cisco’s ESR-6300 router card and IOS-XE software into rugged systems suited for size, weight, and power (SWaP)-constrained military and civil vehicle/aircraft installations. Packaged in different ways with different connector types and levels of ruggedness, these SFF secure network routers are ideal for red-black architectures, leveraging Commercial National Security Algorithm (CNSA) suite cryptography for IPsec (aka NSA Suite B). |
|
Secure Wireless Solutions for Tactical, Expeditionary, and Deployable Communications
This whitepaper compares various CSfC network architectures, and proposes several approaches for CSfC solutions optimized for mobility use cases.
Protecting Wireless Data-in-Motion
The NSA now allows classified information to be transmitted on wireless connections, even over public and partner networks, using two sets of encryption technologies (such as Cisco and Aruba VPNs), one layered inside the other. The NSA has also approved combinations of solutions that include a layer of VPN combined with encryption provided by Wi-Fi, TLS, or MACsec, following specific guidelines.
Curtiss-Wright offers turnkey solutions based on its PacStar® 400-Series modules that can be used in a CSfC solution. These solutions are available directly from Curtiss-Wright and through other large DoD-focused systems integrators/prime contractors.
Curtiss-Wright collaborates closely with industry-leading, enterprise-class makers of networking, encryption, and cybersecurity technologies – integrating, testing, and certifying their technologies into PacStar modular systems. We provide the solutions in a pre-integrated and configured state and customize the solutions to meet program requirements.
PacStar CSfC Solutions are managed by PacStar IQ-Core® Software Crypto Manager (CM) to simplify maintenance, unify management, reduce complexity, decrease downtime, and shorten training for system administrators. PacStar IQ-Core CM significantly reduces equipment costs over Type 1 encryption hardware and enables U.S. coalition partner interoperability without using controlled cryptographic items (CCI).
Encryption Methods
IPsec Encryption
Internet Protocol Security (IPsec) is a suite of secure network protocols that authenticates and encrypts packets between two communication points over a Layer 3 IP wide area network (WAN). Network routers and security systems that support commercial VPN capabilities are traditionally built around IPSec and similar well-known cryptographic standards.
MACsec Encryption
When a Local Area Network (LAN) needs to protect Layer 2 Ethernet traffic, MACSec (802.1AE) encryption can authenticate and safeguard data. The MACsec standard enhances local area network (LAN) traffic security by identifying unauthorized LAN connections and excluding them from communication within the network. In addition, the protocol authenticates nodes through a secure exchange of randomly generated keys, ensuring data can only be transmitted and received by MACsec-configured nodes.
NSA Type 1 and CSfC Solutions
Traditionally, the U.S. government has used National Security Agency (NSA) Type 1 equipment built around classified algorithms to secure network traffic. However, this technology was generally only available to the government and its contractors, and its use comes with many burdensome restrictions and custodial requirements. In recent years, protecting a military platform’s classified data-in-motion as it’s routed over an IP network has become more accessible, more affordable, and faster to deploy, with the NSA’s approval of the use of commercial encryption technologies.
The Commercial Solutions for Classified (CSfC) program is an NSA initiative that allows commercial off-the-shelf (COTS) solutions that have been verified and approved to meet national security standards to be used for layered solutions protecting national security system (NSS) data that is classified up to Top Secret. This approach makes it far less burdensome to secure embedded network communications on-board an aircraft, vessel, ground vehicle, carried to the tactical edge, or even used in a home or field office. That’s because integrators can use a layered commercial solution based on public cryptography and secure protocol standards.
CSfC requires the use of two encryption layers, both of which can be either hardware, software, or a mix of the two. In addition, system integrators can select approved commercial components from the NSA Central Security Service (CSS) components list, which shows system designers what cybersecurity solutions are approved to speed their system development.
Data Protection Domains
Curtiss-Wright offers proven and certified COTS storage solutions that match data security requirements, including NSA Type 1, CSfC, CC and FIPS 140-2.
Our TrustedCOTS products provide confidence in the security and un-compromised protections.
We go the extra mile to protect our supply chain and manufacturing processes.
