There is not a PP applicable to SafeNet AT High Speed Encryptors (HSE) so they are not CSfC approved. The only approved PP for network encryption at Layer 2 is for a network device that implements Media Access Control Security (MACsec) encryption.
MACsec is a standard that was designed to encrypt Local Area Networks. It is increasingly built into third-party switches or routers, and is built into the ASICs (or silicon) of many of those devices. MACSec is generally very low cost or even free with some devices, and it has adequate performance due to its use of hardware encryption.
However, there are several practical problems with MACSec. From a standards perspective, MACSec is not ideal for many carrier links because of the encrypted frame format and key management messages. MACSec is also not suitable for multipoint topologies and does not provide the high assurance features that the SafeNet AT HSE product family offers:
- Secure, tamper-proof dedicated hardware
- Automatic, ‘zero-touch’ encryption key management
- End-to-end, authenticated network encryption
By contrast, HSE uses a carrier agnostic key management and encryption method based on formal IEEE recognized key management frames that means HSEs can work across all carrier environments. HSEs are field upgradable, support built-in crypto-agility and have higher performance than MACsec solutions.
While CSfC targets P2P deployments, SafeNet AT’s HSE offering provides an overall more secure and robust network encryption solution to meet the needs of our Federal customers.