Guide to hardware-based encryption product specifications

The product snapshots in this chapter highlight key specifications for a cross section of dedicated encryption appliances.

This Content Component encountered an error
An encryption appliance inserts inline into the existing network and uses purpose-built electronics to encrypt full duplex data at multigigabit line speeds. This essentially eliminates the performance penalty imposed by encryption software running on a general-purpose server and allows the organization to encrypt more data in flight to storage at local or remote locations. The biggest downside to encryption appliances are their upfront expense and implementing multiple appliances within the same organization can be cost prohibitive. Key management is also important since keys are managed within the appliance itself. The product snapshots in this chapter highlight key specifications for a cross section of dedicated encryption appliances. The following products were selected based on input from industry analysts and SearchStorage.com editors, and specifications are current as of September 2007.

The following specifications have been provided by vendors and are periodically updated. Vendors are welcome to submit their updates and new product specifications to Matt Perkins.

Go to the first product snapshot, or select the desired product below:

  • Crossroads Systems Inc.; Crossroads StrongBox TapeSentry f4
  • CipherMax Inc.; CM100T Tape Appliance
  • CipherMax Inc.; CM180D, CM250 and CM500 Disk Appliances
  • CypherOptics Inc.; Security Gateway
  • Digital Security International; Paranoia2 Appliance
  • Hifn Inc.; Swarm 1000 Appliance
  • Hifn Inc.; Sypher 3000 Appliance
  • Ingrian Networks, Inc.; DataSecure i-Series Appliance
  • NeoScale Systems Inc.; CryptoStor Tape Appliance
  • NeoScale Systems Inc.; CryptoStor FC Disk Appliance
  • Network Appliance Inc.; Decru DataFort Security Appliance
  • Vormetric Inc.; CoreGuard

    Return to the beginning

    Product Snapshot #1
    -----------------------------------------------------------------------------------------------------------

    Product: Crossroads Systems, Inc.; Crossroads StrongBox TapeSentry f4

    Encryption type: AES 256 CBC (Cipher Block Chain)
    Encryption strengths: 256 bit encryption algorithm
    Encryption targets: The encryption targets are FC tape drives. We are in development for the support of SCSI drives.
    Compression: Yes, LZF
    Compression before encryption: Yes
    Key complexity: The AES 256 bit keys are generated using a strong pseudorandom number generator. One key is issued per tape and the tape header contains only the key ID and not the key itself. The keys are stored in an encrypted form in a key database. The keys are always secure and transmitted through a secure channel using SSL.
    Key management: TapeSentry provides the following enterprise-class key management features: Key generation using a strong pseudorandom number generator; Key storage in encrypted form in a relational database; Key recovery that includes secure backup and restoration of the key database for complete disaster recovery; Key sharing that occurs between multiple TapeSentry appliances with trusted relationships using mutually authenticated SSL connections
    FIPS Validated: No; In process of getting FIPS validation for 140-2 level 2
    Data encrypted at rest: No; TapeSentry is a solution geared towards data-at-rest encryption by encryption data as it is written to tapes.
    Data encrypted in flight: Yes; data is encrypted in-flight.
    Host and application protection: No; we do not provide environmental host and application protection as those solutions are offered by other solution providers. Given Crossroads' legacy working with all lead industry storage and security providers, TapeSentry f4 fully integrates with most enterprise environments.
    Access control features:Yes; Crossroads' patented access controls limits host visibility to the logical unit level device (LUN). Only those hosts that are mapped to a specific device can see that device in the network. All other host cannot see or discover those devices. This limits then which systems can then recover data from those devices as well. TapeSentry offers a role-based user access management system to ensure security and separation of duty between administrative and security personnel. The appliance administrator installs, configures, and administers TapeSentry; the security administrator defines encryption policies, manages certificates and users and views audit log.
    Auditing and reporting features:Yes, we support digitally signed audit log of key to review security-related activity, such as when a user logs in, a policy is updated, or a certificate is created. TapeSentry provides discovery and system reports that help appliance administrators to gather information on devices that are connected to ports and view information on TapeSentry appliance and its configuration.
    Other encryption features (if any): TapeSentry provides unprecedented security and ease-of-use for a one-step disaster recovery solution, with secure sharing of data and keys across business partners and authorized locations. TapeSentry can integrate with external key management systems. This flexibility allows it to coexist with other key management systems in the enterprise. TapeSentry ensures the key database is backed up, and allows the automatic backup destination (NAS or SCP) to be at a secured remote site. This allows for a quick restoration of the key database at a remote site and recovery of critical business data.
    Interface/Ports: 4 port 4Gig Fibre Channel Appliance
    Vendor Comment: TapeSentry is the industry's highest performing solution delivering encryption into the existing fibre channel network. The backup application and tape devices require no upgrades or infrastructure change to implement this leading encryption appliance so all your data stored on tape media is fully secured. TapeSentry was designed using Crossroads' industry-leading routing platform called the Routing Messaging Interface (RMI). With over 100,000 systems in the field connecting tape drives and libraries using Crossroads RMI, TapeSentry customers are empowered with best-in-class interoperability and scalability.
    Availability: Currently available
    Base Cost: MSRP: $31,500
    Detailed Specs: http://www.crossroads.com/Products/StrongBox/TapeSentry.asp
    Vendor URL: http://www.crossroads.com/

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #2
    -----------------------------------------------------------------------------------------------------------

    Product: CipherMax Inc.; CM100T Tape Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.ciphermaxinc.com/products/products.html
    Vendor URL: http://www.ciphermaxinc.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #3
    -----------------------------------------------------------------------------------------------------------

    Product: CipherMax Inc.; CM180D, CM250 and CM500 Disk Appliances

    No specifications were provided by publication time.

    Detailed specs: http://www.ciphermaxinc.com/products/products.html
    Vendor URL: http://www.ciphermaxinc.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #4
    -----------------------------------------------------------------------------------------------------------

    Product: CypherOptics Inc.; Security Gateways

    No specifications were provided by publication time.

    Detailed specs: http://www.cipheroptics.com/products/security-gateways.html
    Vendor URL: www.cipheroptics.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #5
    -----------------------------------------------------------------------------------------------------------

    Product: Digital Security International; Paranoia2 Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.dsiencryption.com/products.html
    Vendor URL: www.dsiencryption.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #6
    -----------------------------------------------------------------------------------------------------------

    Product: Hifn Inc.; Swarm 1000 Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.hifn.com/products.aspx?id=3506
    Vendor URL: www.hifn.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #7
    -----------------------------------------------------------------------------------------------------------

    Product: Hifn Inc.; Sypher 3000 Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.hifn.com/products.aspx?id=3510
    Vendor URL: www.hifn.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #8
    -----------------------------------------------------------------------------------------------------------

    Product: Ingrian Networks Inc.; DataSecure i-Series Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.ingrian.com/products.html
    Vendor URL: www.ingrian.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #9
    -----------------------------------------------------------------------------------------------------------

    Product: NeoScale Systems Inc.; CryptoStor Tape Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.neoscale.com/English/Products/CryptoStor.html
    Vendor URL: www.neoscale.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #10
    -----------------------------------------------------------------------------------------------------------

    Product: NeoScale Systems Inc.; CryptoStor FC Disk Appliance

    No specifications were provided by publication time.

    Detailed specs: http://www.neoscale.com/English/Products/CryptoStor.html
    Vendor URL: www.neoscale.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #11
    -----------------------------------------------------------------------------------------------------------

    Product: Network Appliance Inc.; Decru DataFort Storage Security Appliances

    Encryption type: AES 256
    Encryption strengths: 256 bit
    Encryption targets: All major platforms for NAS, file servers, IP SANs, Fibre Channel SANs, tape drives and libraries (SCSI and Fibre Channel)
    Compression: 2-to-1 compression is supported for tape encryption
    Compression before encryption: Yes, compression is done in hardware before encryption
    Key complexity: Keys are 256-gigabit length and have 256-gigabit entropy (i.e. they are generated by a True Random Number Generator and not from a predictable source, like a passphrase)
    Key management: Each DataFort appliance generates, tracks and manages its own keys during runtime operation. Decru Lifetime Key Management system is available in software or appliance form factor and supports archiving, retrieval and transfer of keys over time and across the enterprise.
    FIPS validated: Yes, FIPS 140-2, Level 3. Decru DataFort is also in process for Common Criteria certification, targeting EAL4+
    Data encrypted at rest: Yes
    Data encrypted in flight: Yes
    Host and application protection: Decru Host Authentication ensures only authorized and validated hosts can access data
    Access control features: Yes, DataFort can add a layer of enforcement to directory services, like Active Directory, NIS or LDAP, as well as additional registration capabilities
    Auditing and reporting features:Yes, comprehensive, configurable auditing is available to track access to data, administrative actions and other events. Logs can be exported to Syslog or other management tools.
    Other encryption features (if any): Other features include hardware-based encryption to prevent performance degradation, CryptoShred key deletion for easy, permanent deletion of expired data, role-based access controls, such as smart card-enforced roles for administrators, Cryptainer vaults allow different data to be encrypted with different keys for compartmentalization, and quorum-based recovery (using smart cards) prevents any one person from having overly broad access to sensitive functions.
    Interface/ports: DataFort is available in several configurations; E-Series: two Gigbit-Ethernet ports; Fibre Channel Series for disk or tape: two Fibre Channel ports; FC1020 for tape: 10 Fibre Channel ports; S-Series for tape: two SCSI ports
    Vendor comment: Decru created the storage security market in 2002. Decru solutions have been shipping for five years with proven encryption and key management deployments in financial services, healthcare, government, manufacturing and many other industries.
    Availability: Decru encryption and key management solutions are currently available
    Base cost: Pricing begins at $15,000 per appliance
    Detailed specs: http://www.decru.com/products/datafort0.htm
    Vendor URL: www.decru.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

    Product Snapshot #12
    -----------------------------------------------------------------------------------------------------------

    Product: Vormetric Inc.; CoreGuard

    Encryption type: AES and Triple-DES encryption
    Encryption strengths: AES (128-gigabit and 256-gigabit key length); Triple-DES (keying option 1; three unique keys)
    Encryption targets: CoreGuard encrypts file system data. Security policies specify which files and folders get encrypted, which key is used and what users and applications are allowed to access and decrypt the protected files.
    Compression: Encrypted file system data is not compressed. CoreGuard 4.0 introduces backup agents that will optionally compress and then encrypt backup data.
    Compression before encryption: Yes
    Key complexity: Deterministic random number generator (DRNG) that is compliant with ANSI X9.31
    Key management: Keys are generated and stored on the CoreGuard Security Server that features FIPS 140-2 Level 2 validated design and is compatible with NIAP security requirements. Encryption keys are physically separate from the protected hosts. Security administrators authenticate to the server to configure security policies and associate them with encryption keys. CoreGuard then manages all authentications transparently. All encryption keys, system setup parameters and policy information can be exported in a secure format for remote safeguarding or key escrow and key exchange.
    FIPS validated: Yes, FIPS 140 Level 2 validation. Common criteria EAL 2 compliant.
    Data encrypted at rest: Yes, CoreGuard allows concurrent access to encrypted data files and ensures that only an authorized users using the intended application can access and decrypt the data.
    Data encrypted in flight: No, although CoreGuard policies can ensure that encrypted data remains encrypted when accessed by specific network transfer applications.
    Host and application protection: Yes, CoreGuard protects the integrity of hosts and applications preventing the deployment of unauthorized applications and the introduction of unauthorized changes. CoreGuard authenticates the cryptographic fingerprint of all applications and resource files against a reference database, thereby preserving the system's "gold image" and preventing unauthorized applications and patches, software tools, operating/file system calls, and malicious code from running and accessing protected data.
    Access control features:Yes, in contrast to other solutions that authorize access requests based on one or more user attributes, CoreGuard's context-aware access control system grants access to protected data only after policy evaluation that can optionally include any of the following criteria: user, application, file, type of I/O and time.
    Auditing and reporting features:Yes, CoreGuard policies can audit specific I/O attempts to a file. The audit logs are centrally stored on the CoreGuard security server to record the complete context of the request, enabling complete traceability of host intrusion and data access events. The audit events captures the user, the application, the file name, the type of I/O and whether the action was allowed or denied, and whether or not an encryption key was used. Audit logs can also be exported for consolidation into event correlation and reporting applications.
    Other encryption features, if any: CoreGuard can optionally authenticate applications (processes and libraries) via digital fingerprints.
    Interface/ports: Data ports: Two 1000BaseSX Ethernet, SFP optical transceivers, LC connectors; Two 1000BaseT Ethernet, RJ45 connectors. Management: 10/100BaseT Ethernet, RJ45 connector RS-232 serial, DB-9 connector. High-availability interface: 10/100BaseT Ethernet, RJ45 connector
    Vendor Comment: CoreGuard provides the only complete data protection solution through the tight integration of strong encryption, access control and separation of the duties of end users system administrators and host integrity protection.
    Availability: Currently available
    Base cost: Pricing starts at US$40,000
    Detailed specs: http://www.vormetric.com/products_features2.html
    Vendor URL: www.vormetric.com

    Go to beginning
    -----------------------------------------------------------------------------------------------------------

  • This was first published in October 2007

    Dig deeper on Secure data storage

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchSolidStateStorage

    SearchVirtualStorage

    SearchCloudStorage

    SearchDisasterRecovery

    SearchDataBackup

    Close