L3 Box S* VPN Gateway for RESTRICTED Communication - Secunet
L3 Box S* VPN Gateway for RESTRICTED Communication - Secunet
L3 Box S* VPN Gateway for RESTRICTED Communication - Secunet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
( <strong>Box</strong> S)<br />
<strong>L3</strong> <strong>Box</strong> <strong>S*</strong><br />
<strong>VPN</strong> <strong>Gateway</strong> <strong>for</strong> <strong>RESTRICTED</strong><br />
<strong>Communication</strong><br />
As a <strong>VPN</strong> gateway, the SINA <strong>L3</strong> <strong>Box</strong> is a key component of the central IT infrastructure<br />
in high-security networks. The data exchanged between the SINA components is securely<br />
transmitted via encrypted <strong>VPN</strong> tunnels. SINA <strong>L3</strong> <strong>Box</strong>es connect public authority<br />
or corporate networks via public lines such as the Internet. Additionally, SINA <strong>L3</strong> <strong>Box</strong>es<br />
can be configured as cryptographic network access points <strong>for</strong> SINA clients to (terminal)<br />
servers.<br />
The SINA <strong>L3</strong> <strong>Box</strong> S and its predecessors, SINA <strong>Box</strong> LE, SINA <strong>Box</strong> 1U<br />
(5xLAN) and SINA <strong>Box</strong> 1000, are IP-based encryption systems approved<br />
by the German Federal Office <strong>for</strong> In<strong>for</strong>mation Security (BSI) <strong>for</strong> transmitting<br />
classified in<strong>for</strong>mation <strong>for</strong> both <strong>RESTRICTED</strong> and NATO <strong>RESTRICTED</strong><br />
classification levels. Just like its predecessors, the SINA <strong>L3</strong> <strong>Box</strong> S also<br />
serves national and international high security networks.<br />
Due to the increased temperature ranges, integrated touch display and a<br />
more modest power consumption the new SINA <strong>L3</strong> <strong>Box</strong>es S 30M, 200M<br />
and 1G are more flexible than the predecessors. Additionally the new SINA<br />
<strong>Box</strong>es S 200M, 1G and 3G are substantially lighter. The network interfaces<br />
can be fitted with SFP modules according to specific needs. This allows<br />
<strong>for</strong> a flexible adaption to the customer’s network infrastructure. Compared<br />
with the SINA <strong>Box</strong> 1000 the new SINA <strong>L3</strong> <strong>Box</strong> S 1G has a more compact<br />
design (19” 1U). Both models of the SINA <strong>L3</strong> <strong>Box</strong> S 3G are equipped with<br />
Benefits:<br />
» » Approved up to <strong>RESTRICTED</strong><br />
and NATO <strong>RESTRICTED</strong><br />
» » High data throughput<br />
» » High availability<br />
» » Increased temperature ranges<br />
» » State-of-the-art technology<br />
in complex security networks<br />
» » Network interfaces can<br />
be fitted with SFP modules<br />
according to customer<br />
requirements<br />
ten network interfaces each which makes them most suitable <strong>for</strong> use in<br />
complex central network nodes. A crypto per<strong>for</strong>mance of up to 3 GBit/s<br />
makes it the most powerful device of the SINA <strong>L3</strong> <strong>Box</strong>es S.<br />
The SINA <strong>L3</strong> <strong>Box</strong> S software version 3.3 (planned <strong>for</strong> Q4 2012) ensures<br />
the IPv6 ability.<br />
IT security concept<br />
The SINA <strong>L3</strong> <strong>Box</strong> S is based on an integrated IT security concept.<br />
In particular, this concept includes:<br />
▀▀ A▀hardened▀and▀intensively▀evaluated▀Linux▀system▀plat<strong>for</strong>m<br />
▀▀ Smart▀card▀technology<br />
▀▀ IPsec-based▀virtual▀private▀networks<br />
▀▀ Hardware▀and▀software▀scaled▀and▀configured▀according▀to▀approval▀<br />
requirements
<strong>L3</strong> <strong>Box</strong> S<br />
Secure system boot and operation<br />
Depending on the actual conditions of the IT infrastructure and projectspecific<br />
communications requirements, it is possible to use the SINA <strong>L3</strong><br />
<strong>Box</strong>es S with thousands of simultaneous security associations. Upon<br />
system start-up, the SINA <strong>L3</strong> <strong>Box</strong> S software is securely loaded from flash<br />
memory. All initial configuration data and security associations <strong>for</strong> the<br />
SINA <strong>L3</strong> <strong>Box</strong> are stored in a protected area of the SINA smart card. When<br />
a SINA <strong>L3</strong> <strong>Box</strong> is started, the security associations to the SINA Management<br />
and the communications-related SINA <strong>L3</strong> <strong>Box</strong>es are set up as IPsec<br />
<strong>VPN</strong> tunnels. If necessary, additional security associations or configuration<br />
data can be downloaded from the SINA Management. This greatly<br />
simplifies configuration, installation and hardware replacement with the<br />
SINA <strong>L3</strong> <strong>Box</strong>.<br />
Systems monitoring<br />
The SINA <strong>L3</strong> <strong>Box</strong>es log all system-monitoring relevant data during operation.<br />
The syslog data can be imported into network management systems<br />
<strong>for</strong> further processing and/or displayed as required. The new SINA <strong>L3</strong> <strong>Box</strong> S<br />
software version 3.3 (planned <strong>for</strong> Q4 2012) supports SNMP v2c.<br />
High availability<br />
Using redundant configurations it is possible to increase availability and<br />
safeguard against failure of SINA <strong>L3</strong> <strong>Box</strong>es. An automatic switchover<br />
mode triggers a second SINA <strong>L3</strong> <strong>Box</strong> to take over the functions of the<br />
failed SINA <strong>L3</strong> <strong>Box</strong>. The SINA <strong>L3</strong> <strong>Box</strong>es S 1G and 3G are equipped with<br />
redundant power supply units.<br />
Additional details and per<strong>for</strong>mance data<br />
* For further in<strong>for</strong>mation about the new naming concept refer to: www.secunet.com/en/sina.<br />
** For German national use only.<br />
*** Due to several different producer-specific product variations SFP modules are not included in the scope of delivery. E. g. the following modules can be loaded:<br />
Finisar FTLF8519P2BNL (optic fibre, Short Range, Multi Mode), Source SP-GB-LX-CDFH (optic fibre, Long Range, Single Mode) or 3COM 3CSFP93 RJ45.<br />
More in<strong>for</strong>mation:<br />
www.secunet.com/en/sina<br />
SINA_<strong>L3</strong><strong>Box</strong>S_V1_04/12_GB<br />
Satellite communication<br />
The use of SINA <strong>L3</strong> <strong>Box</strong>es requires IP-enabled transport networks, including<br />
satellite communication lines. Satellite optimisers support the effective<br />
use of the available bandwidth of the satellite lines.<br />
Management<br />
The SINA Management is used <strong>for</strong> central configuration of all SINA <strong>L3</strong><br />
<strong>Box</strong>es in the network. An integrated public key infrastructure (PKI) with<br />
the corresponding user management supports the main administrative<br />
processes, particularly the personalisation, generation and/or updating of<br />
keys and cryptographic parameters as well as the administration of associated<br />
PINs and PUKs on the smart cards.<br />
Approval-related construction classes<br />
SINA <strong>L3</strong> <strong>Box</strong> S<br />
Approval level <strong>RESTRICTED</strong>, NATO <strong>RESTRICTED</strong>, RESTREINT UE**<br />
Software versions 2.2<br />
3.3 (planned <strong>for</strong> Q4 2012)<br />
Authentication token SINA smart card<br />
SINA <strong>L3</strong> <strong>Box</strong> S 30M SINA <strong>L3</strong> <strong>Box</strong> S 200M SINA <strong>L3</strong> <strong>Box</strong> S 1G SINA <strong>L3</strong> <strong>Box</strong> S 3G 10Cu SINA <strong>L3</strong> <strong>Box</strong> S 3G 6Cu 4SFP<br />
General technical data<br />
Size 228 x 165 x 44,45 mm 19” 1 U 19” 1 U 19” 2 U 19” 2 U<br />
Weight 1.8 kg 7.8 kg 9 kg 12.5 kg 12.5 kg<br />
Power consumption<br />
Crypto hardware<br />
18 W 85 W 105 W 256 W 256 W<br />
Encryption per<strong>for</strong>mance approx. 30 MBit/s approx. 200 MBit/s approx. 1000 MBit/s approx. 3000 MBit/s approx. 3000 MBit/s<br />
Symmetric<br />
cryptography<br />
AES AES AES AES AES<br />
Asymmetric<br />
cryptography<br />
LAN connections<br />
EC-GDSA, EC-DH EC-GDSA, EC-DH EC-GDSA, EC-DH EC-GDSA, EC-DH EC-GDSA, EC-DH<br />
Network interfaces*** 4 x 10/100/1000 MBit Cu 4 x 10/100/1000 MBit Cu 4 x 10/100/1000 MBit Cu 10 x 10/100/1000 MBit Cu 6 x 10/100/1000 MBit Cu<br />
Temperature<br />
2 x 1000 MBit SFP<br />
2 x 1000 MBit SFP<br />
4 x 1000 MBit SFP<br />
Operation +5 °C to +40 °C +5 °C to +40 °C +5 °C to +40 °C +5 °C to +40 °C +5 °C to +40 °C<br />
Transport -20 °C to +60 °C -20 °C to +60 °C -20 °C to +60 °C -20 °C to +60 °C -20 °C to +60 °C<br />
Item number SB50.04 SB50.23 SB50.24 SB50.05 SB50.22<br />
secunet▀Security▀Networks▀AG<br />
Kronprinzenstraße▀30<br />
45128▀Essen,▀Germany<br />
Phone:▀ +49▀-▀201-▀54▀54▀-▀0▀<br />
Fax:▀ +49▀-▀201-▀54▀54▀-1000<br />
E-mail:▀ info@secunet.com▀<br />
www.secunet.com