CipherOptics Security Gateway Technology

Data protection without complexity
What sets CipherOptics apart from other data protection and network security solutions is its Transparent In-Line Encryption Architecture, TILEA. TILEA uniquely solves the problems of latency and throughput that hamper other data protection solutions, including VPN blades and firewall extensions. TILEA follows the IPSec standard, is FIPS 140-2 Level 2 validated and is interoperable with other IPSec solutions. Its performance is based on its unique, fast, policy-look-up-engine, which makes its encryption and decryption cycles in the micro-second range, exponentially faster than any other encryption technology at 100 Mbps and above. This means that there is no effect on network performance with 1.9 Gbps full-duplex throughput and virtually no latency for the applications. TILEA also enables CipherOptics' security gateways to have "bump-in-the-wire" implementation; they quickly and easily integrates into existing IP networks without adding any complexity or requiring costly network reconfigurations or upgrades.

In-line network encryption
CipherOptics has implemented the IETF's (Internet Engineering Task Force) concept of "bump-in-the-wire" with its streaming TILEA architecture. This implementation gives CipherOptics' IPSec encryption appliances their performance advantage. However, the CipherOptics implementation expands on what it means to be bump-in-the-wire. Because the gateways are intelligent, network-aware devices, they overcome the limitations of traditional bump-in-the-wire deployments. They participate in network activities, such as error recovery, to respond to what is happening on the network. With TILEA, transparent implementation and operation, and device intelligence, are not mutually exclusive.

Encryption and authentication at wire speed
CipherOptics manufactures standards compliant IPSec Security Gateways, the SG1001 and SG1002. These devices provide encryption and authentication of Layer 3 IP packets at full theoretical maximum performance with latencies in the range of 3 to 15 microseconds, depending on packet size. Wire speed performance is achieved by a Data Plane architecture, TILEA (Transparent In-Line Encryption Architecture). TILEA is implemented using high performance off-the-shelf components. Those components include:

· A high performance network processor
· A fast policy search engine, the Ternary CAM
· A 2 gigabit cryptographic accelerator
· Highly optimized firmware for the network processor

Performance - full bandwidth utilization and ultra-low latency
The two graphs below show the performance characteristics of the CipherOptics gigabit platform.

This graph show the performance characteristics of the CipherOptics SG1002. There are 3 curves on this graph:

1. IP THROUGHPUT is the measured performance of transmitting IP packets over an Ethernet interface. A Spirant SmartBits packet generation tool is used in a back-to-back mode. It can be seen that 100% gigabit throughput is not achieved because the Ethernet header overhead consumes a small amount of bandwidth for longer packets. For shorter packets the Ethernet overhead becomes more significant and the performance falls below gigabit for shorter packets.

2. IPSEC THROUGHPUT is the second curve and represents a calculated performance curve for a perfect encryption device that takes into account the overhead of additional headers required by the IPSec standard, in addition to the Ethernet header overhead. Again, these headers are fairly insignificant for longer packets, but become more pronounced at shorter packet lengths.

3. SG1002 AES THROUGHPUT is the third curve and represents the measured performance of the CipherOptics SG1002. This curve approximates the perfect curve down to the shortest packet sizes, where there is some degradation.

This graph gives a latency view of 2 measurements/calculations depicted from the Full Duplex graph. It can be seen that the measured latency of the CipherOptics SG1002 is in the range of 12 to 50 microseconds, depending on packet size, for typical IP packet sizes. A longer packet takes a longer time to transit the device.

Latency is a function of the time it takes a packet to transit the system. For an IPSec appliance, latency is the measurement of the time it takes to enter the source system, encrypt the packet, enter the destination system, decrypt the packet system and exit the system. The CipherOptics SG1002 uses a streaming architecture, which removes the effects of buffering from the latency measurement The latency then is a measurement of the time it takes to clock a packet into the appliance, lookup a security policy, perform the encrypt or decrypt task, and clock out of the system and back onto the network.