BLACK BOX. EncrypTight

(1)

BLACK BOX

®

E n c r y p T i g h t

B L A C K B O X W A N E N C R Y P T I O N

E n c r y p T i g h t

Secure WAN links without tunnels!

»

Strong WAN encryption without IPsec VPN tunnels.

»

Multilayer encryption.

(2)

724-746-5500 | blackbox.com/go/EncrypTight

2 |

BLACK BOX

®

More and more organizations are using the Internet to send data to branch offices. But because the Internet is a public network, security is an issue, so sensitive data must be encrypted. The answer is EncrypTight™_{, a Secure Mesh Internet solution using the EncrypTight}

Manager policy and key management software, and our FIPS-validated family of EncrypTight hardware encryption applications.

EncrypTight overcomes the limitations associated with IPsec VPN tunnels. It brings you air-tight encryption across any WAN — even the Internet — without the hassle of setting up a VPN tunnel for each connection. Layer 4 encryption capability leaves packet headers intact, making encrypted data far more compatible with network operations. Plus, EncrypTight doesn’t add latency to bog down network operations — it’s totally transparent.

The not-so-private MPLS WAN.

Many organizations don’t encrypt their data because it’s traveling on a “safe” MPLS network. Although MPLS networks provide more reliable connections than the Internet and aren’t as public, they cannot be counted upon to be private — they’re still vulnerable to attack.

MPLS is technically a VPN that mimics privacy by logically separating data with labels. Although the data traffic is kept separate from other traffic, it can still be easily intercepted at any node.

When vendors say MPLS is secure, what they mean is that the traffic is kept separate from other traffic, that they have processes in place to prevent unauthorized data snooping, and that their employees probably aren’t going to snoop either. In fact, your data probably won’t be stolen on an MPLS network, but you have no way of being sure and no way to tell if your data has been breached.

Solid security with versatility and scalability— a much-needed breakthrough in network security.

• Improve security without impacting performance. • Works on the Internet or on private WANs. • Security management with drag-and-drop simplicity. • Works with all kinds of network traffic, including VoIP. • Eliminate time-consuming and complex VPN tunnels. • No delays, no jitter, no latency. • Transparent to network operation and applications. •

✦✦

WARRANTY

— 1 Year

In fact, the only way to ensure data security over an MPLS network is by encrypting data as it travels across the WAN. Breaking out of the tunnel.

Although IPsec VPN tunnels are fairly simple to set up between only two points, when remote sites multiply, the number of tunnels increases exponentially. A tunnel is needed between each pair of sites, leading to administrative hassles every time a remote site is added.

EncrypTight eliminates the need to establish point-to-point tunnels between each pair of remote sites, freeing network administrators for other tasks. With EncrypTight, every network on your WAN can establish an instant encrypted connection to every other network equipped with an EncrypTight appliance.

Layer 4 encryption.

In addition to Layer 2 Ethernet frame encryptions and Layer 3 IP packet encryption, EncrypTight offers a Layer 4 payload-only encryption option. Layer 4 encryption offers many advantages, including: • Ability to pass encrypted data through NAT devices. VPN tunnels,

which encapsulate the Layer 3 address, often don’t work with NAT. • Compatibility with policy-based routing and load balancing

that require Layer 3 addresses to be intact.

• Layer 4 encryption leaves Layer 3 headers intact, making it possible to troubleshoot a network without turning off encryption.

• Because headers are intact, data looks unencrypted, making it possible to use within countries that restrict encrypted data. Central management.

Manage all your EncrypTight appliances with EncrypTight Manager software. The simple drag-and-drop interface scales seamlessly and enables you to set encryption policies based on IP addresses, port numbers, protocol IDs, or VLAN tags. You can quickly change policies across the entire WAN without interrupting network traffic. The Manager generates, and securely pushes, encryption keys and policies to appliances throughout the WAN. Logging and auditing functions enable you to collect and monitor important criteria such as enforcement point status, as well as policy, password, and device configuration changes. For more information, see pages 4–5.

ET0010A

E n c r y p T i g h t

(3)

E n c r y p T i g h t

B L A C K B O X W A N E N C R Y P T I O N Network _Network Network Network Network Internet Network Network Network Compliance.

EncrypTight helps you comply with HIPAA, HITECH, PCI, or other industry or government data-protection standards. EncrypTight offers AES 256-bit encryption. Plus, its logging and auditing functions help you save and organize the records required by many of these standards, reducing the scope of audits with thorough record keeping.

Seamless scalability.

Because there are no tunnels to set up, it’s easy to deploy EncrypTight across large WANs. New sites can be added instantly without having to establish a VPN tunnel to every other site.

Additionally, EncrypTight Manager—included with each EncrypTight appliance—enables network administrators to centrally manage security across the entire WAN using a simple drag-and-drop interface.

Traditional IPsec VPN: the cumbersome, hard-to-manage way.

• Tunnel based. • Difficult to set up and manage. • Requires added personnel to maintain. • Slows network performance. • Doesn’t support dual carrier environments. • Slows or disables multicast applications. • No Layer 4 network services. Network Network Network Network Network Network Internet, MPLS, or Ethernet Network Network • No tunnels! • Doesn’t slow network performance. • Easy to set up, configure, and manage. • Can be administered from a single location. • Supports dual-carrier networks. • VoIP and video compatible. • Compatible with multicast applications. • Preserves Layer 4 services.

Solid security with versatility and scalability— a much-needed breakthrough in network security.

(4)

724-746-5500 | blackbox.com/go/EncrypTight

4 |

BLACK BOX

®

E n c r y p T i g h t

Group encryption management for policies, keys, and devices. • Manage network encryption from anywhere in the world. • Define security policies with drag-and-drop simplicity. • Separate security management from network management. • Review and audit events to simplify regulatory compliance. • Validate changes automatically before deployment.

Get ready for the easiest data security management system ever. The EncrypTight Manager software is a Web-based management platform that actually simplifies security management while preserving network performance and functionality.

Use the EncrypTight Manager and appliances to protect every type of network:

• IPsec site-to-site networks. • MPLS meshed networks. • Metro Ethernet and VPLS networks. • VoIP networks. • Video and multicast applications. • Group encryption over public networks. • Multicarrier networks.

A central point of policy management.

EncrypTight Manager is your central point of control to define policies for what traffic to protect and how to protect it. Use policies to define what network traffic to encrypt and specify if you want to encrypt, send, or drop it.

Fail-safe key management.

The EncrypTight Manager distributes group encryption policies and keys to EncrypTight appliances throughout the network. It also periodically sends key updates (rekeys) to minimize the risk of a

EncrypTight Manager Architecture

EncrypTight™_{Manager User Interface} _{EncrypTight Manager Server and Database Cluster}

Full Mesh AES-256 Daily Refresh Hub-Spoke AES-256 Hourly Refresh DR Site Application Server Enforcement Points Enforcement Points

Group A

Group B

Application Server Database Database Multi-User Browser-Based UI Multi-User Browser-Based UI

The EncrypTight Manager difference: Manage network encryption from anywhere over the Web.

brute-force attack by reducing the amount of information encrypted with the same key. With the fail-safe rekey feature, group keys are updated only when all group members are ready to receive a new key. This eliminates outages that occur when some members receive a new key while others continue to use the old key.

Security management.

The EncrypTight Manager uses separate roles for security control and network management. This way, you can outsource network management without losing control of the security policies and keys. Prove compliance.

The EncrypTight Manager’s powerful logging and auditing capabilities can help you easily establish, maintain, and prove regulatory compliance. You can also customize dashboards to show device status.

Deployment options.

Reduce the cost of deploying a clustered server infrastructure by choosing to use a virtual server or a physical server. You can use virtual servers to deploy EncrypTight Manager to an existing VMWare server or to a laptop running VMWare Player.

The EncrypTight Manager.

(5)

E n c r y p T i g h t

The EncrypTight Manager difference: Manage network encryption from anywhere over the Web.

The EncrypTight™_{Manager is an integral part of the complete}

EncrypTight solution for network encryption and authentication that spans from the edge of the network to the IaaS cloud.

The benefits of the EncrypTight Manager.

Features Benefits What it does for you:

Simple, yet powerful drag-and-drop security policy builder.

Makes it easy to create and deploy multilayer encryption and authentication policies

Reduces your time and the expenses spent on network security and compliance.

Periodic key updates and rapid key revocation.

Minimize your risk of a data breach. Increase your ability to react quickly if there’s an attack so you

can minimize losses.

Protect sensitive information.

Clustered architecture. Provides high availability with linear scalability and disaster recovery.

Reduce network downtime. Support large and mission-critical networks.

Partial policy push. Configuration validation. Make fewer device and policy changes.

All changes are validated. Save time. Avoid mistakes. Minimize network outages.

Role-based access control. Provides separate roles for security control and network management.

Gives you cost-effective and secure outsourcing without losing control of security.

Browser-based, multi-user interface. Server can by physical or virtual.

Secure group encryption management in a browser by multiple authorized users

from anywhere and on any platform.

Superior usability and flexibility enable you to reduce operational expenses compared to traditional

site-to-site VPNs. Powerful, user-friendly logging

and auditing capabilities.

Makes it easy to establish, maintain,

and prove compliance. Reduce initial and ongoing compliance costs.

Three-tier Web-based architecture. Prepares you for future growth into the cloud. This cost-effective investment will accommodate _{your future needs.}

Fail-safe rekeys. Group keys are updated only when

all group members are ready. Reduce network downtime.

EncrypTight Manager Solution

(6)

724-746-5500 | blackbox.com/go/EncrypTight

6 |

BLACK BOX

®

E n c r y p T i g h t

What is EncrypTight Secure Mesh Internet (SMI)?

The EncrypTight Secure Mesh Internet is a hardware/software solution that enables you to replace expensive, private, site-to-site network connections with low-cost, any-to-any network connections over the Internet. It will help you save money, reduce management costs, increase bandwidth, and get better security.

The low-cost alternative to private networks.

Many organizations use expensive, private WANs, such as T1, MPLS, or Metro Ethernet, for three primary reasons: availability, security, and any-to-any connectivity. What they actually get is lower than optimum throughput, especially when compared to the high throughput home users enjoy over the Internet.

If you want to lower costs and increase throughput, consider EncrypTight. It will enable you to quickly and easily set up a fully encrypted “mesh” that provides high-speed, secure, any-to-any connectivity over any public (or private) network. You can switch from expensive, private WAN links to inexpensive, public Internet connections with much greater bandwidth. Plus, you’ll get a fully compliant solution that offers security via encryption and on-going authentication.

Why you should encrypt data in motion.

It is important to understand that VPNs and technologies such as MPLS are not encrypted by default and require additional security measures to protect data. Even if the network is ”private” or ”virtually private,” it is still subject to attacks. Data sent on MPLS networks is kept separate from other traffic, but it is not encrypted. What’s more interesting is that over the past few years, many MPLS carriers have merged their private WANs and Internet backbones to reduce the burden of maintaining two separate backbones. How is EncrypTight SMI different than a VPN?

EncrypTight gives you the same any-to-any connectivity as an encrypted VPN, but without the headaches and performance issues. EncrypTight is easier, faster, and much less costly to set up and manage than VPNs. With VPNs, all traffic, even branch-to-branch traffic, must route through a central site. This means higher latency and degraded performance.

The EncrypTight SMI solution is based on group encryption in which the encryption keys are centrally generated and securely sent to the EncrypTight appliances. This enables you to manage policy and key distribution centrally instead of on a time-consuming, site-by-site basis, as is the case with VPNs. EncrypTight enables you to secure ”data in motion” in a way that is transparent to network architectures and protocols. And, if you decide to migrate to the Internet from MLPS networks using EncrypTight, you don’t experience any service interrruptions.

The safe harbor clause and compliance.

Nearly every regulation specifying data protection, including HIPAA, HITECH, and all state privacy laws, say that encryption is a safe harbor.

Safe harbor clauses specify circumstances in which companies are exempt from notification requirements or other penalties if there’s a breach. It is especially critical given that large-scale breaches (where 500 or more records are compromised) require additional and very public notifications. In light of these risks, it makes sense to take advantage of safe harbors.

Who can use EncrypTight Secure Mesh Internet?

Because this system is so secure, it can be used across a broad range of applications and industries, such as:

• All size networks, even enterprise networks. • Local, national, and international branch offices • Home-office employees • Healthcare • Finance and banking, including ATMs • Education • Retail and hospitality • Public areas • Government (All EncrypTight appliances are FIPS certified.) • Manufacturing • ISPs Fast ROI.

The EncrypTight SMI solution can give you a positive ROI in as little as three months when bandwidth rates remain the same before and after implementation. If you increase your bandwidth, as most companies do, you will likely see a positive ROI within the first year. Of course ROI can vary and is dependent on the number of sites you have and the rates you pay for public and private connections.

(7)

E n c r y p T i g h t

Three ways EncrypTight is better than traditional IPsec.

EncrypTight policies are network oriented, not device specific. The encryption keys are distributed to groups of endpoints, so any group member can talk to any other without point-to-point tunnel constraints.

With traditional IPsec, encrypted traffic goes from a specific device to a specific device. If a router goes down, the data can’t be decrypted without being retransmitted.

Traditional IPsec requires new tunnels for all new sites, resulting in a complex and static routing cloud on top of a flexible and dynamic network.

Data is encrypted without disrupting network operations or application performance. Additional sites are easily added using site-based policies. The result is a scalable, flexible, dynamic, and secure network.

Encryption without tunnels.

Traditional IPsec

Site A

Site C Site D Site C Site D

Site B

Site B Traditional IPsec

Site A Site B Site A Site B

Dynamic traffic flow.

Traditional IPsec

Site A Site B Site A Site B

Traditional IPsec policies are strictly device oriented, which requires encrypted traffic to be routed from a specific device to another specific device. The result is static tunnels across the network.

With the EncrypTight appliances, the original header is preserved. The groups and shared keys enable secure load balancing, resulting in encrypted data traveling the most efficient route.

(8)

BLACK BOX

®

724-746-5500 | blackbox.com/go/EncrypTight

8 |

Item Code Available _Speeds Connectors Power Size Weight 5 Mbps

EncrypTight Appliance

ET0005A 5 Mbps

Local: (4) 10-/100-/1000-Mbps RJ-45 Ethernet; includes 4-port switch

Remote: (1) 10-/100-/1000-Mbps RJ-45 Ethernet Management: (1) DB9 serial male

Autosensing 100–240-VAC,

50/60 Hz External Power Supply

1"H x 5.25"W x 4"D (2.5 x 13.3 x 10.2 cm) Desktop: 1.1 lb. (.5 kg) 3–50 Mbps EncrypTight Appliance ET0010A 3, 6, 10, 25, 50 Mbps Local: (1) 10-/100-/1000-Mbps RJ-45 Ethernet; Remote: (1) 10-/100-/1000-Mbps RJ-45 Ethernet; Management: (1) 10-/100-Mbps RJ-45 Ethernet, (1) RJ-45 RS-232;

For future use: (1) RJ-45

Autosensing 100–240-VAC,

50/60 Hz External Power Supply

1.6"H x 8"W x 5.8"D (4 x 20.3 x 14.7 cm) Rackmount: 3 lb. (1.4 kg); Desktop: 1.3 lb. (0.6 kg) 100–250 Mbps EncrypTight Appliance ET0100A 100, 155, 250 Mbps Local: (1) 10-/100-/1000-Mbps RJ-45 Ethernet; Remote: (1) 10-/100-/1000-Mbps RJ-45 Ethernet; Management: (1) 10-/100-Mbps RJ-45 Ethernet, (1) RJ-45 RS-232 Autosensing 100–240-VAC, 50/60 Hz Internal Power Supply

1.75"H (1U) x 17"W x 10"D (4.4 x 43.2 x 25.4 cm) 6 lb. (2.7 kg) 500 Mbps– 1 Gbps EncrypTight Appliance ET1000A 500, 650 Mbps 1 Gbps Local: (1) SFP (1000-Mbps); Remote: (1) SFP (1000-Mbps); Management: (1) 10-/100-Mbps RJ-45 Ethernet; (1) RJ-45 RS-232;

For future use: (1) RJ-45, (1) SFP

Dual, Hot-Swappable, Autosensing 100–240-VAC,

50/60 Hz Internal Power Supply

3.5"H (2U) x 17"W x 15"D (8.9 x 43.2 x 38.1 cm) 9 lb. (4.1 kg) 2.5–10 Gbps EncrypTight Appliance ET10000A 2.5, 5, 10 Gbps Local: (1) SFP+ (10-Gbps); Remote: (1) SFP+ (10-Gbps); Management: (1) 10-/100-Mbps RJ-45 Ethernet; (1) RJ-45 RS-232;

For future use: (4) RJ-45, (3) SFP, (2) USB

Dual, Hot-Swappable, Autosensing 100–240-VAC,

50/60 Hz Internal Power Supply

3.5"H (2U) x 17"W x 15"D (8.9 x 43.2 x 38.1 cm) 22 lb. (10 kg)

E n c r y p T i g h t

B L A C K B O X W A N E N C R Y P T I O N Item Code

First, select your appliance… EncrypTight™_Appliances 5 Mbps ET0005A 3 – 50 Mbps ET0010A 100 – 250 Mbps ET0100A 500 Mbps –1 Gbps ET1000A 2.5 –10 Gbps ET10000A

…then, select a license for the desired bandwidth… EncrypTight Bandwidth Licenses

ET0005A License

5-Mbps (Fixed bandwidth. Cannot be upgraded.) ET-BWLF-5MBPS

ET0010A License 3-Mbps ET-BWL-3MBPS 6-Mbps ET-BWL-6MBPS 10-Mbps ET-BWL-10MBPS 25-Mbps ET-BWL-25MBPS 50-Mbps ET-BWL-50MBPS ET0100A Licenses 100-Mbps ET-BWL-100MBPS 155-Mbps ET-BWL-155MBPS 250-Mbps ET-BWL-250MBPS ET1000A Licenses 500-Mbps ET-BWL-500MBPS 650-Mbps ET-BWL-650MBPS 1-Gbps ET-BWL-1GBPS ET10000A Licenses 2.5-Gbps ET-BWL-2.5GBPS 5-Gbps ET-BWL-5GBPS 10-Gbps ET-BWL-10GBPS

To rackmount the ET0005A, order…

EncrypTight Single ET0005A Rackmount Kit, 19", 1U ET-RM-1

EncrypTight Dual ET0005A Rackmount Kit, 19", 1U ET-RM-2

Item Code

For an instant 10-Mbps Encryption Solution, order…

EncrypTight Starter Kit ET-STARTER-KIT

✦ Includes (2) EncrypTight™_{Appliances (ET0010A)}

and (2) 10-Mbps Bandwidth Licenses (ET-BWL-10MBPS). To add more users to EncrypTight Manager, order…

EncrypTight Management User License ET-MGR-SW-USER

To add a Disaster Recovery License, order…

EncrypTight Disaster Recovery License ET-MGR-SW-DR

To add a Cluster Server License, order…

EncrypTight Cluster Server License ET-MGR-SW-CLSTR

For EncrypTight Manager pre-loaded onto an optimized server, order… EncrypTight Manager Server ET-MGR-HW

Ordering EncrypTight Management

Each EncrypTight appliance includes EncrypTight Manager, which consists of one EncrypTight Manager software license for use on one server; one management user license, which supports one active user at a time and an unlimited number of named user accounts; documentation; and a CD containing key, policy, and device management software in VMware® _format.

To add more simultaneous active users, order EncrypTight Management User Licenses (ET-MGR-SW-USER).

EncrypTight Manager is also available preloaded onto an optimized Dell®_PowerEdge®_{R310 server (ET-MGR-HW). EncrypTight Manager}

Server requires an EncrypTight Management User License (ET-MGR-SW-USER) for the first user as well as for each additional user.

Clustered servers can be added to the main server. Each additional clustered server requires an EncrypTight Cluster Server License (ET-MGR-SW-CLSTR). If you use a disaster recovery server, you’ll need an EncrypTight Disaster Recovery License (ET-MGR-SW-DR).