SafeNet Virtualised Encryptor CV1000

User Guide (Windows)

Document: CV1000_TIM_WIN Release 02

Applicability and version support

CV1000, VMware, Virtual Box, KVM virtual environments v5.1.x
CM7 Management system (WindowsR) v7.8.0
Copyright © 2020 Senetas Corporation. All rights reserved.
The technology described in this document has been developed by Senetas Corporation and is distributed and supported
world-wide by Gemalto under the SafeNet brand.

Support Contacts
If you encounter a problem while installing, registering or operating this product, please make sure that you have read the
documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support. Gemalto Customer
Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrange-
ments made between Gemalto and your organisation. Please consult this support plan for further information about your
entitlements, including the hours when telephone support is available to you.

Contact Method Contact Information

Gemalto
Address 4690 Millennium Drive
Belcamp, Maryland 21017, USA
US 1-800-545-6608
Phone
International 1-410-931-7520
https://serviceportal.safenet-inc.com
Technical Support
Existing customers with a Technical Support Customer Portal account can log in to manage
Customer Portal incidents, get the latest software upgrades, and access the Gemalto Knowledge Base.

Notice: Senetas documentation is produced in English and may be subject to translation for use in the other geographies where Senetas
products are installed. Senetas does not accept responsibility for any translation errors. All documentation remains the intellectual property of
Senetas Corporation, must not be copied without permission and it or any translation, must not be used to reverse engineer Senetas
products. (This statement is to remain in English)

Gemalto
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Tel +1 800 533 3958

Published: Tuesday, 4 February 2020

-i-
 Table of Contents
Section 1 - Encryption 1
Introduction 1
Audience 1
Navigating this document 2
Networks, Risk and Encryption 3
Networking 3
Data and risk 3
Risk analysis 4
Risk mitigation 4
The attack profile 5
Encrypting Data in Transit 6
Assigning responsibility 6
Management 7
SNMP integration 7
Passwords 7
Reliability 7
Summary 7
Network Encryption 8
Senetas terminology 8
Defining the network 11
Protocol considerations 11
Ethernet 11
Where to encrypt? 12
Senetas’ role 12
Network considerations 13
VPLS networks 13
VPWS networks 13
MPLS networks 13
Other considerations 14
Security Overview 15
Connection rule 15
Encryption process 16
Encryption modes 16
Carrier topology 20
Encryptor selection 20
Carrier connections 20
Port IP addresses 20
Customer A 21

ii SafeNet Virtualised Encryptor CV1000

 Encryptor configuration 21
Customer B 23
Encryptor configuration 23
Customer C 24
Encryptor configuration 24
Frequently Asked Questions 25
Encryption overview 27
Platform Overview 27
NFV Encryptor Introduction 28
CV1000 description 28
System requirements 30
Guest OS and network drivers 30
Performance Tuning 30
Version compatibility 30
Management interfaces 31
Management port statistics 31
Local port statistics 31
Network port statistics 32
Interface notes 32
Commissioning 34
Setting the IP address 34
Set the IP address through the CLI 34
Set the IP address from CM7 35
Setting Name and Date/Time 36
Setting the encryptor name from CM7 36
Setting Date and time via the CLI 36
Setting Date and time from CM7 36
Activation 37
Activating encryptors with CM7 37
Activating encryptors from the CLI 37
Feature introduction 37
User defined entropy 37
Preparing the .ent file 37
Monitoring 38
Expected consumption 38
Section 3 - Protocol encryption 40
Ethernet encryption 40
Basic operation 40
Operation within networks 41
Transport Independent (TIM) Mode 42

SafeNet Virtualised Encryptor CV1000 iii

 Key Provider model 42
Key Derivation Function 42
KMIP key servers 44
Traffic encryption 45
Egress Flow (Encryption Local -> Network port) 45
Ingress Flow (Decryption Network -> Local port) 45
TIM policy 45
Key synchronization 47
Shim formats 47
Encrypted Frame formats 48
Configuration using the CLI 49
Configuration Export 50
Section 4 - Encryptor management 51
Management systems 51
CM7 network manager 51
Command Line Interface 51
Third-party managers 51
Managing Encryptors 52
CLI management 52
SNMP management 52
SNMP connections 53
Direct connection to front panel 53
Out-of-band management 54
In-line management through the encryptors 54
Third-Party Managers 54
Routing considerations 55
Address translation, Port forwarding 55
RESTful JSON interface 56
RESTful examples 57
CM7 Network Manager 59
Launching and Logging in to CM7 59
SNMP security level 60
Exiting from CM7 61
CM7 Navigation 62
Configuring the discovered encryptor list 67
CM7 Screen selection 68
Discover screen 68
Activate screen 69
KeyVault 71
CM7 Licensing screen 71

iv SafeNet Virtualised Encryptor CV1000

 Senetas signed licenses 71
KDK Key distribution 75
Sentinel licensing 77
Manage screen 79
Management options 81
Front panel mimic 82
Overview 82
Utilization 83
System 84
Date/time 85
NTP Server Configuration 85
User 86
Console Management 87
Network addresses 87
SNMP 89
Syslog Server Configuration 89
FTPS and SFTP 90
KeySecure 90
KeySecure tiers 91
TACACS+ 91
Remote Secure Shell CLI access 92
SSH key pair creation 92
Policy 96
Key Derivation Function 97
Protocol 97
Protocol - Ethertypes 99
IP Rules 99
Encryption Interfaces 100
Diagnostics 101
Alarms 103
Event Log 104
Audit Log 104
Upgrade screen 105
User account management 107
Defining user accounts 107
Administrator access 108
Configuring CM7 110
Certificate hash algorithm 112
KDK Key generation 113
Installing CM7 114

SafeNet Virtualised Encryptor CV1000 v

 Windows 114
Initial configuration settings 117
Moving CM7 to a new PC 119
Alarms, event and audit logs 120
Logs 120
Alarms 120
Event log 121
Audit log 122
SNMP Traps 122
Appendix A-1 Audit log messages 123
Appendix A-2 Event log messages 128
Appendix A-3 Alarm messages 129
Appendix A-4 SNMP trap messages 132
Command Line Interface (CLI) 135
CLI connection 135
Customising the command line interface 135
Commands 136
activate 136
alarm 137
audit 137
autodisco 138
autopop 139
banner 139
community 140
con 140
date 140
erase 141
event 142
ftpcfg 142
global 143
help 143
history 144
hostname 145
initcfg 145
inventory 147
ip 148
iprules 150
kdf 151
keyprovider 152
kscfg 153

vi SafeNet Virtualised Encryptor CV1000

 kstier 153
licence 155
linkspeed 155
logout 157
ntpcfg 158
overview 158
password 159
profile 160
prompt 161
rest 161
reboot 162
snmpcfg 163
snmptraps 163
sshcli 164
stats 164
syslog 167
tacacs 167
timezone 168
transec 169
upgrade 170
usb 170
users 171
version 172
Glossary 173
Index 185

SafeNet Virtualised Encryptor CV1000 vii

 Section 1 - Encryption

Section 1 - Encryption
This introductory section covers the following topics:

Introduction 1
Management 7
Network Encryption 8
Security Overview 15

Introduction
Senetas hardware and software encryption platforms ensure that information is protected as it trans-
its through the network from one location to another This manual is intended to provide you with a
complete understanding of the Senetas product family and more importantly the role it can play in
protecting critical data. This manual includes specific details for the SafeNet Virtualised Encryptor
CV1000 (hereinafter may also be referred to as the "CV1000").
The need for data encryption within the data centre is generally well understood, however the need
to secure data-in-transit, that is the data traversing the network, is often overlooked. In reality the
security of your data is only as good as that provided by the weakest link and  both data-at-rest and
data-in-transit must be protected.
To really understand the way in which encryptors are used requires an appreciation of the risks that
exist and the manner in which these can be addressed. Differing network topologies have their own
vulnerabilities and these along with the nature of the data you are transmitting will determine the
approach that is required.
So, what is encryption, and how does it protect your data? In the sections that follow we will discuss
the basics, provide some history, describe the risks that exist, and how we can address these.
The term ‘Encryptor’ is a generic term as most encryptors are really both an encryptor and a
decryptor, that is, they encrypt traffic that is sent to the network and decrypt data arriving from remote
encryptors.
This document is organised into a number of chapters that describe all aspects of the products and
their application. These include; networks, risk, encryption, commissioning, security, platforms, pro-
tocols, installation, management and troubleshooting.

Notes such as this...

...... are used to provide you with summary information that allows the reader to gain a high
level understanding of the content.
This information allows you to scan the chapters content and quickly focus on those areas
that deliver in-depth coverage of an area of interest.

Audience
This document has been written to meet the needs of the broad cross section of readers who have
an interest in Senetas encryptors. By including comprehensive information for the complete product
range it provides the following:
l An understanding of encryption and products philosophy.
l The requirements of different networks and the way in which the products address these.
l The installation of encryptors

SafeNet Virtualised Encryptor CV1000 1

Section 1 - Encryption

l The configuration of encryptors to meet customer needs.

l The administration of encryptors.
l The diagnosis of any issues that could occur.
It is assumed that the reader is familiar with:
l The topology of the network in which the encryptor is to be used.
l The basic principles of computer networking, protocols and interfaces.
l The administration and operation of a computer network.
Companion documents that contain only a limited number of chapters are also available and these
are usually provided for training purposes.

Navigating this document

The 'Tables of Content' provide structured access to all of the material that is contained within the
document.
Active links are provided throughout to allow navigation within online copies of the manual.
In addition, a comprehensive linked index is provided which is supported by a glossary that explains
the many acronyms that are used throughout the communications industry.

Caution:
Important information that requires particular attention is included within messages that
include this caution caption.

2 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Networks, Risk and Encryption

This introductory chapter is organised as follows:
l An introduction to risk
l The need for encryption
l Network encryption
l The Senetas approach
l Encryption process
We will discuss in detail how virtualised encryptors protect data that is moving between two loc-
ations. Senetas virtualised encryptors currently only support the Ethernet protocol.
Along with the rest of the IT industry, encryption technology continues to advance and the Senetas
products set is no exception. You will find the latest information on the web at www.senetas.com

Networking
Networks provide the critical infrastructure that allows business, government, law enforcement and
financial institutions to inter operate in an efficient and secure manner.
The way in which your network is secured should be appropriate for your organisation and in line
with its security policy. The process relates to  managing the risk associated with the data being
accessed by third parties. The information that traverses your network will provide you with a starting
point for determining whether or not you should protect data.

Data and risk

Personal information - Whenever personal information is being handled it must be done in a secure
manner. Aside from the  decision  to respect the privacy needs of the individuals, the loss of data can
have dire consequences for the organisation to which it was entrusted. Many countries have laws
relating to loss of data or ‘breaches’, and even where such laws do not exist, you cannot assume
immunity from litigation.
Commercial information - Most organisations have a requirement to protect their financial data from
competitors or others who may use it for their own purposes. This is particularly important if you are
handling the data on behalf of others. Competitors will not hesitate to take advantage of competitive
intelligence gained from intentional or unintentional release of data.
Intellectual property - Your IP can be the ‘life blood’ of your business. Mark Getty the grandson of J
Paul Getty has said that “Intellectual Property is the Oil of the 21st century”. In today’s dynamic mar-
ketplace factors such as time-to-market and competitive-advantage can make the difference
between success and failure and therefore you need to ensure that others do not take advantage of
your investments.
Fraud - In some instances the threat to your organisation can come from criminal or fraudulent activ-
ity. Not only can data be intercepted, it can be modified so that the recipient acts in a manner that
benefits the intruder.
Terrorism - Where you are responsible for critical infrastructure or information that relates to secur-
ity, the need to protect data in transit is  critical. The information that requires protection may also
include voice, video, and control circuits.
Management responsibility - In some circumstances a conflict of interest can exist between those
who mange your network and those responsible for security. By separating the encryption function
from other network appliances such as routers, security can be enhanced.
Network weakness - The design of the network needs to mitigate risk. Security appliances should
be accredited to international standards.
Irrespective of the motivation of those who would attack your data, any losses may have a serious
impact. In some cases it will be financial, in others it may be your reputation within the markets or
areas that you operate. We all have customers and retaining their trust is essential; maintaining your
reputation is perhaps the single most important factor in retaining and expanding your business. In

SafeNet Virtualised Encryptor CV1000 3

Section 1 - Encryption

the commercial arena failure to address the impact that security breaches can have on building
shareholder value is a failure in corporate governance.
In summary it is important to understand that data of value to others may be targeted with attacks dir-
ected at your central computer systems, the underlying storage systems, or the data within private or
public networks. These may be based on intrusion, interception, data manipulation or injection and
each of these threats should be addressed.

Risk analysis
The task of risk analysis can be complex and a comprehensive treatment is well beyond the scope of
this document. It may be appropriate to engage a risk analysis professional, however as a starting
point there are a number of areas that you will need to consider, including:
l The existing security policies that your organisation has in place
l The value of your data to third parties
l New or potential vulnerabilities created by extending your applications and/or services to
other locations
l The types of secure communications that may be required for industry or regulatory com-
pliance
l Any local laws that must be followed regarding employee privacy in international locations
l The level of insurance cover that might be required to protect the business
l The security management strategy that you will follow
These considerations will provide a framework within which you are able to quantify the risks that
exist, which in turn will allow you to determine the type of protection that you require. Risks that are
typically encountered in the computer and communications industries include:
l Hackers breaking in to steal or destroy information
l Disgruntled employees attacking information and/or systems
l Malware in its many forms
l Acts of war and/or terrorism

Risk mitigation
There are a number of well defined approaches to reducing risk and it is likely that your business
practices will mean that many of these have already been implemented. Based on the identified
risks you should review each of the following:
l Access control to prevent unauthorised entry to secure areas
l Measures to discourage tailgating
l Motion detectors and/or CCTV monitoring to secure areas
l Intrusion detection systems (IDS) to detect hackers
l Intrusion prevention systems (IPS) to counter penetration attempts
l Internal access controls based on passwords or identity keys
l Encryption of all network traffic
While not all of these measures will be applicable to all networks it should be remembered that the
security afforded to the organisation is only as good as the weakest link. Those who would attack
your system understand this and plan their attack accordingly.

Attack sources
16% from wiretaps or sniffing
70% from outside the organisation
39% via connections to business partners

4 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

The attack profile

The nature of your business and the data that you handle will have established the level of data pro-
tection that is required. Given this, the next consideration is the likelihood that an external party will
attempt to access your data.
There are a number of approaches that an attacker may adopt. Some aim to attack data while it is at
rest either within the host system or the storage subsystem, and there are a number of established
intrusion detection and  protection systems that address these threats. If we assume that these sys-
tems are in place then the attacker may well direct their efforts towards the network, attempting to
intercept the data-in-transit. Where the data is of value to the attacker, the internal systems and the
network traffic must both be protected.
Attacks can take many forms, including intercepts of data, modification of data, injection of invalid
data, disruption of operations, and VPN translation. The attack can be performed on copper or fibre
optic links using inexpensive and readily available equipment.

The security of virtualised encryptors requires that the host/hypervisor be secured to prevent unau-
thorised access to the virtual image. In addition, the virtual machine should never be moved to unse-
cured environments, unless cloned which results in a virtual tamper/erase.
Note that Senetas virtualised encryptors are not certified in the same way that physical encryptors
are. However they are designed with the same principles in mind and subject to the limitations of the
virtual environment they fully protect data in transit.

SafeNet Virtualised Encryptor CV1000 5

Section 1 - Encryption

Encrypting Data in Transit

Senetas offers a range of encryption devices that protect data in transit by providing inline encryption
at speeds up to 100Gbps. While Ethernet is the most commonly encrypted protocol, some models
provide support for other protocols such as ATM, SONET/SDH, Fibre Channel and binary links.
All Senetas encryptors are managed by a common element manager called CM7. CM7 is a Win-
dows application that installs on a PC (or server) and uses version 3 of the SNMP (Simple Network
Management Protocol) to configure and manage the encryptor via a secure encrypted connection.
Typically, you would manage a unit via a virtualised RJ45 port, or use out of band management to
access the (virtualised) port of a remote unit.
CM7 can also be used to configure SNMPv2 traps within encryptors so that they will report events,
alarms, etc., to a network management system such as OpenView or Tivoli, and CM7 can itself mon-
itor these traps. Encryptors maintain audit logs (operator actions), event logs (changes that
occurred), and an Alarm table (error states). These can be viewed with CM7 and saved and expor-
ted as files for archive and/or review.
If required the auxiliary management port can be enabled to allow a second isolated management
system to be connected. This supports the separation of duties between the physical and security
contexts of the units.
Encryptors can also be managed via a ‘craft’ interface. On virtual encryptors this is a VM console that
provides a Command Line Interface (CLI) that supports a range of commands providing similar func-
tionality to CM7. Prior to v2.6.1 of the firmware this interface did not provide certification functionality.
In the case of Ethernet encryptors operating at layer 2, units can be configured in point-to-point
mode or multipoint VLAN mode with up to VLANs1. Ethernet encryption is based on the AES
algorithm with 128 or 256 bit keys, and automatic key updates change the keys every 1-60 minutes
(user defined, default 60).
Your organisation will have existing security practices and the information provided in this document
should be used to validate and/or extend these.
Based on these practices you will need to assign responsibility for security, determine your training
requirements, and establish how you will install and physically protect and support the encryptor
hardware and software.

Network topologies
The network over which data is to be transferred is characterised by the topology that has
been selected by the network architect.
Senetas encryptors are available for most protocols and they can be configured to operate
in any of the modes that the topology supports. These include point to point or multipoint
(mesh).

Assigning responsibility
Responsibility for security should be given to the appropriate individuals and there should be doc-
umented backup or re-assignment processes to cover situations where staff members are not avail-
able. In cases where the network is outsourced it is strongly recommended that all matters relating to
encryption still be kept in-house.
Senetas encryptors provide four levels of user access security, these being ‘Administrator’, ‘Super-
visor’, ‘Operator’ and ‘Maintainer’. Each or these should have a strong password assigned and
access to ‘Administrator’ accounts should be restricted to a limited number of people.

1Model dependent

6 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Management
CM7 is a purpose-built WindowsR based software application designed to manage the Senetas fam-
ily of encryptors. CM7 provides a flexible and robust way of managing all aspects of a distributed net-
work of encryptors including real-time status monitoring configuration changes.

SNMP integration
Each encryptor generates SNMPv2 traps and these can be sent to any or all of up to 8 trap servers.
CM7 and third party products can be configured to catch and handle these trap messages. In the
case of CM7 the display shows the message sent by all of the configured encryptors. Refer to
" Appendix A-4 SNMP trap messages" on page 132”.

Passwords
During commissioning each encryptor will have passwords assigned for each user account. CM7
enforces strong user password rules and while it is unlikely that passwords will be discovered by an
attacker, precautions should be taken to prevent them being discovered or revealed.
The password requires at least 8 characters with at least 1 upper-case, 1 lower-case, 1 numeric and
1 special character.
As is the case with the CM7 database, it is essential that copies of all passwords be held securely so
that they can be recovered if the responsible person is no longer available to provide them. (This pro-
cess will normally have been defined as part of the IT policies and procedures of your organisation).

Reliability
Closely related to the security of the network is its reliability. While you can expect your Senetas
encryptors to remain trouble free, it is important that those responsible have been trained to install
and configure them to meet your organisations needs. In the unlikely event of a problem they should
be able to diagnose and rectify the fault in a timely manner. Support staff should complete the appro-
priate training prior to the initial installation.

Summary
Data encryption is an essential component of today’s networking infrastructure. Delivering to user
expectations requires that the encryption service be both secure and seamless and for these reas-
ons management must take the necessary steps to guarantee this.

SafeNet Virtualised Encryptor CV1000 7

Section 1 - Encryption

Network Encryption
The basics of network encryption are simple. The data stream is taken from the local protected net-
work, information that is to be protected is encrypted, the encrypted data is sent via the unprotected
network to the remote location where the data is decrypted to its original form and then passed to the
receiving protected network. The encryption process, and therefore the model of encryptor used,
depends on many factors including the communications protocol and the characteristics of the net-
work. Let’s start out by reviewing some of the terms we will be using.
Data-in-transit - refers to the data that is being passed between sites. Contrast this with data-at-rest,
which refers to data held on disk or being processed within the data centre. Data-at-rest may also be
encrypted, but is not the subject of our discussion.
Local, network and management Ports - refer to the ports on an encryptor that are used to connect to
the local (protected) network, the external (unprotected) network, and the management system that
will be used to configure and/or manage the unit. Senetas encryptors are shown symbolically in net-
work diagrams as shown in Figure 1 below.

Figure 1 Encryptor Symbol

Protected or unprotected?
As a convention, Senetas uses the term ‘protected’ to refer to the local (or Red) networks at
each end of the secured path since the data is being protected by both the encryption pro-
cess and each sites physical security.
The link between the encryptors is referred to as Black or ‘unprotected’ as it is open to inter-
ception and attack.

Protected against?
Encryptors provide protection against:
l eavesdropping
l data manipulation
l data insertion

Senetas terminology
Vendors use differing terms to describe both security and elements of the network. Senetas uses the
following terms to describe the operation of encryptors.

Action - is used to describe the application of policy to a connection. As examples, the policy may result in an ‘Encrypt
action’ or a ‘Discard action’. In some instances you will see terms such as ‘Encrypt mode’ or ‘Discard mode’, these being
used to indicate that the policy being applied will result in these actions.

Algorithms - are the defined arithmetic processes that are used to encrypt the data using the session keys.

8 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Bump-in-the-wire - a term used to refer to an encryptor that has been configured so that it is ‘transparent’ within the
network it is protecting. The benefit of such a configuration is that it can be readily bypassed for testing purposes -
which is also a weakness as it allows the security provided by the encryptor to be bypassed.

CM7 - refers to the Senetas network manager used to certify, manage and monitor encryptors within the network..

Common Criteria - CC refers to certification to the international standards.

Connection - is used to describe a layer 2 logical connection between two encryptors. An encryptor that is configured
in multipoint or mesh mode may have a number of ‘connections’ with its peers.

FIPS 140-2 - refers to certification to the FIPS standard. FIPS mode turned on by default. When operating in this
mode numerous startup tests are performed and the results logged in the event log. FIPS mode also uses a Diffie-Hell-
man key exchange to enforces authentication and privacy on the management port.

Keys - are the entities used to encrypt data. These include symmetric data encryption (DEK) and session (KEK) keys
used to encrypt production traffic and key updates.

The symmetric keys used to encrypt data when operating in TIM mode are automatically generated using the con-
figured Key Derivation Function.
Management keys are used to encrypt the commands that configure the encryptors. While older (physical) encryptors
used an installer defined password, current units use a Diffie-Hellman key pair to encrypt CM7 SNMPv3 commands,
thus ensuring that the session is totally secure.

The symmetric DEK keys used to encrypt the data (typically using the AES-256 bit algorithm) are created and
exchanged by the encryptors during session establishment. The DEKs are periodically updated using AES 256 bit
KEKs to encrypt the keys before they are transmitted to the remote encryptor. The KEKs are generated and securely
exchanged during session establishment.

Management interface - which usually refers to the virtualised RJ45 port that is used to connect a management sys-
tem to the encryptor to allow configuration and/or monitoring. Each encryptor also has a ‘craft’ (hardware) or VM con-
sole (virtual) interface that allows management via the Command Line Interface (CLI).

Mode - is used in several ways. For example when discussing the encryption of data we use it to define the actual
encryption mode - ‘CFB mode’ for Cipher feedback mode, ‘CTR mode’ for Counter mode, etc. In other cases ‘mode’
will be used more generally, for example an encryptor may be in ‘Line mode’ or ‘Multipoint mode’ in which case we are
referring to the specific mode of operation.

Network interface - or sometimes just ‘interfaces’, these refer to the physical/virtual means of connecting the
encryptor to the protected and unprotected networks. The type of interface varies depending on the network type and
speed and these are discussed in detail in later chapters. For now, suffice to say that for hardware encryptors the inter-
faces are usually copper RJ45 ones, fibre optic (SFP or XFP) ones, or in some legacy cases BNC or other cable con-
nectors.

Policy - is used to describe the overall set of rules that define the way in which encryption operates on a particular con-
nection. Policy schemes are defined for each protocol and apply to each connection.

Protocols - which refer to the various types of network traffic that we may need to encrypt. For hardware based
encryptors these include Ethernet, ATM, SONET/SDH, Fibre Channel and simple LINK protocols such as Serial,
E1/T1 and E3. the CN Series supports additional protocols. Virtual encryptors only support the Ethernet protocol.

Rules - refer to the elements that make up the overall encryption policy. These are established by way of the con-
figuration settings made via CM7 or the CLI.

Session - is used to describe the time bound process of establishing trust and initiating and continuing encryption of
the data stream. To emphasise that data is being encrypted we often refer to this as a ‘Secure session’.

Topologies - the logical and physical structure of the network we are encrypting is related to the protocol it supports.
We refer to dedicated links as ‘point to point’, those via the cloud where there may be more than two encryptors as ‘mul-
tipoint’ or ‘meshed’. Other protocols, for example SONET/SDH, where there can be more than two encryptors con-
nected to a ‘ring’ are also considered to be ‘multipoint’

SafeNet Virtualised Encryptor CV1000 9

Section 1 - Encryption

Tunnels - is used to describe a layer 3 IPSec connection, however for historical reasons you may see the term used
interchangeably with layer 2 ‘connections’ within CLI descriptions. We try to avoid the use of ‘tunnels’ when describing
layer 2 encryption.

10 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Defining the network

Network analysis is used to establish the types of traffic that need to be encrypted and how these
might be separated from other less critical traffic. In some case we do this by combining the traffic
with optical multiplexers and only encrypting those streams that require it.
As a starting point for our discussion regarding the manner in which encryption is used consider the
ISO model that is used to define the logical structure of the network.
Senetas encryptors are designed to protect data in motion, primarily at layer 2 of the ISO com-
munications model. At first glance encryption seems an easy choice; after all, why expose con-
fidential information to prying eyes when you can protect it by scrambling it?

Figure 2 OSI Model

Some of the traditional objections to encryption include loss of performance and the complexity of
managing encryption keys. Today, however, modern hardware and software systems have
addressed these issues to the extent that it is now possible to deploy hardware encryption to secure
information at full line rates up to 100Gbps and with simple fully automatic key management. Virtual
encryptor performance is dependent upon the hosting hypervisor.

Protocol considerations
As discussed, there are many different protocols used in the networks we may wish to encrypt. Pro-
tocols are based on standards and encryption needs to take these into account. The following sec-
tions overview each of the commonly encrypted protocols, providing background material that
supports a  more detailed discussion on the application of encryption to the most commonly
encountered networks.

Ethernet
The Ethernet Media Access Control (MAC), at Layer 2 of the OSI model, connects to the PHY (Layer
1) physical/virtual media (optical or copper).
The Ethernet architecture further divides the PHY into a Physical Media Dependent (PMD) com-
ponent and a Physical Coding Sublayer (PCS). An example of a PMD is an optical transceiver.,
whereas the PCS refers to the coding (e.g., 8b/10b) and serializer or multiplexing functions.
The 802.3ae specification defines two PHY types: the 10GBASE-R, LAN physical layer device (LAN
PHY) and the 10GBASE-W, WAN physical layer device (WAN PHY). The WAN PHY is simply an
optional extended operating feature added to a LAN PHY. These PHYs are solely distinguished by
the PCS.

SafeNet Virtualised Encryptor CV1000 11

Section 1 - Encryption

The 10G Ethernet standard specifies two types of physical interface: LAN PHY which is intended to
support existing Gigabit Ethernet applications at ten times the bandwidth, and WAN PHY which oper-
ates at a data rate compatible with SONET OC-192c and SDH/STM-64.
Note that Senetas virtualised encryptors are documented using the physical interface naming con-
ventions.
The 9.953 Gb/s SONET/SDH data rate of the OC-192/STM-64 network, is not compatible with 10 Gig-
abit Ethernet.
10GbE networks are becoming the de facto network standard as fast and large-capacity networks
become more widespread. Although the current mainstream of 10GbE installations is the physical
layer or LAN-PHY of Access networks, router and switch vendors are also positively adopting 10GbE
for WAN-PHY of existing core and metro SONET/SDH networks to assure high-reliability and QoS.
WAN PHY is designed to bridge the asynchronous world of Ethernet data with synchronous
SONET/SDH transport, allowing 10 Gigabit Ethernet to be transparently carried over current DWDM
networks. As a result, this interface runs at a data rate compatible with SONET OC-192c/SDH
The 10 Gigabit Ethernet 802.3ae standard has the following features: 
l Preserves the 802.3 Ethernet frame format
l Preserves the minimum and maximum frame size of the current Ethernet standard 
l Supports full duplex operation only
l Specifies an optional media independent interface (XGMII) to connect a 10 Gbps capable
MAC to a 10 Gbps PHY
l Specifies an optional application unit interface (XAUI) which improves and simplifies the con-
nection between a 10 Gbps capable MAC and a 10 Gbps PHY
l Supports a speed of 10 Gbps at the MAC interface
l Defines two families of PHYs – LAN and WAN

Where to encrypt?
There are several ways to encrypt data in transit; common options include Transport Layer Security
(TLS) for the Internet which replaces the now deprecated Secure Sockets Layer (SSL) , the IPSec
encryption standard for “tunnelling” at layer 3, and layer 2 encryption.
The word “layer” is used to differentiate the logically separate components of communications sys-
tems, that is, layer 1 is the physical layer (wire, cables, connectors etc.), layer 2 is the data link layer
(e.g. Ethernet frames) and layer 3 is the network layer (e.g. IP packets), etc. Note that for virtualised
encryptors the same 'layer' naming scheme is used. Refer to Figure 2 on the previous page.
In reality, encryption can happen at different layers of a network stack, the following are just a few
examples:
l End-to-end encryption happens within applications.
l IPSec encryption takes place at the network layer.
l Layer 2 encryption takes place at the data link layer.
The challenge lies in maintaining the performance and simplicity of high speed networks while assur-
ing the security and privacy of user data, whether it be a voice, data or video transmission.

Senetas’ role
Senetas encryptors are certified to the most rigorous independent standards for cryptographic
product design including FIPS 140-2 level 3 and EAL2+ and NATO. These standards are designed
to provide an independent assessment of a products security above and beyond that provided by
the vendor. For this reason governments and other organisations worldwide use these assessments
as a mark of trust for the security products they choose to encrypt their data.
Senetas’s encryptors are used in some of the most demanding environments imaginable including
high speed US Defence Department networks in the US, AsiaPac and Europe. They secure critical
backbone infrastructure for banks and other large financial institutions globally.
Senetas is committed to assisting organisations in meeting their long-term vision of network-centric
operations with highly secure reliable commercial-off-the-shelf (COTS) solutions.

12 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Senetas “bump in the wire” layer 2 technology has the lowest impact on network performance, is
transparent to media and reduces complexity thus allowing business and Government to sig-
nificantly reduce costs in meeting data protection and privacy regulations.
Key differentiators of the Senetas products include:
l Reliable field proven hardware solution
l Support for AES 128/256 bit keys
l Support for point-point, hub & spoke and fully meshed topologies
l Common Criteria EAL2+ and FIPS 140 accreditation
l True full duplex wire speed encryption at up to 10/100Gbps
l Provision of virtualised encryption limited only by hypervisor performance
l CV series of virtual encryptors optimised for use with CMXNET3 or paravirtualised device
drivers
l SNMP network management
l Remote upgrade capability
l Use of pluggable transceivers for both optical and electrical connections (CN Series)

Network considerations
As is the case with the protocol, the topology of the network over which the encrypted traffic will
travel is usually outside of your control and you will have to work within whatever constraints exist. In
most cases Senetas encryptors provide the  required configuration flexibility to address any issues
that exist.
Experience tells us that the task of selecting and configuring your encryption solution is simpler if
you have a network diagram that spells out the nature of the links and the interconnecting equip-
ment.
In the following section we discuss some of the common network topologies and provide some con-
figuration guidance. This information is somewhat protocol agnostic, however as is often the case
particular topologies are often protocol specific.
Layer 2 networks such as LAN’s and even WAN’s usually present few problems. However you do
need to be aware that what may appear to be a layer 2 service could have some traps for the
unwary. In some cases devices which purport to operate at layer 2 may interact with the data in ways
that lead to unpredictable traffic when you attempt to encrypt it. This can particularly be the case with
some older Ethernet networks. Again it is worth emphasising that a complete network diagram is
invaluable.

VPN confusion
The use of the term Virtual Private Network can be confusing as it implies that absolute pri-
vacy exists between the users of the different virtual networks.
In fact security within VPN’s can be compromised by configuration mistakes and the only
way to ensure privacy is to use encryption outside of the network.

VPLS networks
Virtual Private LAN Service networks are a layer 2 MPLS VPN services that offer similar reliability
and QoS capabilities of layer 3 MPLS networks. Senetas Ethernet encryptors can operate within
VPLS networks.

VPWS networks
Virtual Private Wire Service networks are a layer 2 MPLS VPN services, similar to VPLS services
except that they are configured to provide a point to point rather than a LAN service.

MPLS networks
The Multiprotocol Label Switching System (MPLS) is a standard that passes traffic in a more efficient
means that conventional IP routing. MPLS networks are sometimes referred to as ‘Layer 2.5’

SafeNet Virtualised Encryptor CV1000 13

Section 1 - Encryption

networks because they provide support for IP traffic, ATM traffic and Ethernet traffic. In instances
where the service is operating at layer 3 or 4, and the traffic is being routed packet re-ordering may
occur, and layer 2 encryption cannot be used.
Some vendors provide proprietary methods of ‘tunnelling’ layer 2 traffic through the layer 3 MPLS
network and this approach does allow layer 2 encryption to be used. The Cisco AToM (Any Trans-
port over MPLS) system is an example of this approach.
MPLS tagging does result in some expansion of traffic and this can result in fragmentation and in
some instances a reduction in throughput.

Other considerations
This section describes additional considerations, if any, that may apply to specific protocols.
An additional limitation that might be encountered in large networks is the number of MAC
addresses or VLAN IDs that need to be supported. Careful evaluation of the target network is
required so that the appropriate configuration  and Senetas encryptor is selected.
Some networks have provision for load balancing and redundancy. The Senetas Ethernet encryptor
does provide limited support for the monitoring of Spanning Tree Protocols (STP), however there are
limitations and these need to be considered.

14 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Security Overview
The data path that is established between two encryptors is referred to in this manual as a ‘con-
nection’ (or in some instances a tunnel), and the term ‘session’ refers to a connection that has been
securely established. Encryption policy is determined by connection rules.
Figure 3 below shows the way in which transmitted and received data flows through an encryptor.
Conceptually this is quite simple:
1. Information arrives at the encryptors interface ports
2. The encryptor determines the encryption policy from a connection rule in the Connection
Table which specifies how that information is to be processed
3. The information is processed according to the policy and (if not being discarded) it is sent out
the opposite port

Figure 3 Encryptor data flow

The table lookup procedure depends on the type of network that is being secured and the layer at
which encryption is implemented. Some networks send information in discrete packets with an identi-
fying header (either at the beginning or end of the packet) containing an address and other inform-
ation. Other networks send unformatted synchronous data as a simple bit stream.
The sections that follow discuss the way in which the encryption is performed based on the con-
figuration of the encryptor. Configuration is performed using CM7 or the CLI on the control plane as
distinct from the encryptors data plane and this separation enhances the overall security of the net-
work.

Encryptor Security process ...

Algorithms define how we encrypt
Keys determine encryption strength
Implementation is based on security needs
Security Practices determine overall protection

Connection rule
The encryptor is programmed to interpret the information it receives and match it to a connection rule
in the Connection Table for the type of network it is protecting. This usually involves identifying the

SafeNet Virtualised Encryptor CV1000 15

Section 1 - Encryption

network address and looking up the specified action in the table.

The protocol and encryption policy also define which part of the received information (the payload)
needs to be encrypted and which parts (usually the header) must be left unencrypted so that the net-
work can process it correctly.

The following table shows the information that Senetas encryptors use to determine the connection
rule(s) for a given network type:

Table 1. Connection rule mechanism

Network Type Rule decision is based on
Ethernet Ethertype and MAC address or VLAN ID in Ethernet header

Each connection rule specifies one of the following actions to be applied to the information on that
connection:
l Secure - using specified algorithm
l Bypass  - pass without modification
l Discard - don’t allow traffic to pass

The default action for information processing is ‘Discard’. This means that information that cannot be
matched to a defined rule in the connection table is dropped.

Secure vs. Encrypt

Earlier versions of CM7 used ‘Encrypt’ to refer to the state of a connection that was being
secured.
As encryption policy evolved it became apparent that not all of the traffic on a secured link
was encrypted. For this reason ‘Secure’ is now used to refer to the state of a connection that
is being encrypted using the defined policy.

Encryption process
The encryption process is based on a series of components that taken together provide a means of
defining a standard result. These include algorithms, keys and modes.
The actual process of encryption is performed by either software, in the case of the CS10/100 or CV
family, or in the case of the CS1000 and CN family, hardware using Field Programmable Gate
Arrays. The requirements of the network dictate which unit is appropriate.
The encryptor factory default settings will normally meet the requirements of the network; however if
required these can be changed.
The session keys used to encrypt and decrypt network traffic are symmetric keys that allow operation
in full duplex at full line speed.
Support for different protocols is provided by differing interface cards which can operate at the appro-
priate speeds.

Encryption modes
The encryption modes available for Ethernet and other protocols that can be encrypted are listed in
Table 2 on the facing page.

16 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Table 2. Available encryption modes

Protocol Encryption modes (Algorithm: mode)
Ethernet - CS Series, 10 Mbps AES:GCM 128 bit key, CFB or CTR 128, 256 bit key
Ethernet - CN Series, 10/100Mbps, 1Gbps AES: GCM 128, 256 bit key, CFB or CTR 256 bit key
Ethernet - CN Series, 10Gbps AES:CTR, GCM 128, 256 bit key
Ethernet - CN Series, 100Gbps AES: CTR, GCM
Ethernet - CV Series, up to hypervisor limit AES: CTR, GCM 128, 256 bit key

Counter (CTR) or Galios counter (GCM) mode is required for encryptors operating at speeds of
10Gbps or higher.
Senetas recommends AES encryption with a key size of 256 bits for new networks.
The difference between CFB, CTR and GCM modes is shown diagrammatically below. In each case
an initialisation vector is used to ensure randomness. For further details refer to the following wiki-
pedia links:
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation and http://en.wiki-
pedia.org/wiki/Galois/Counter_Mode

SafeNet Virtualised Encryptor CV1000 17

Section 1 - Encryption

18 SafeNet Virtualised Encryptor CV1000

 Section 1 - Encryption

Figure 4 Galois/Counter (GCM) mode

Which mode?
Senetas encryptors generally use CFB mode since it provides improved pattern masking via
a more random initialisation vector.
If packet based authentication is required then GCM mode should be used.
At high speeds, that is 10 Gbps or above, processing capacity requires that CTR or GCM
mode be used.
In any network all of the interoperating encryptors must use the same mode.

The Electronic Code Book (ECB) mode of encryption does not utilise an initialisation vector and as a
result it is not effective in masking patterns within data. Due to this limitation Senetas does not sup-
port this mode.

SafeNet Virtualised Encryptor CV1000 19

Carrier topology

Carrier topology
The example discussed in this section is based around the provision of services for three customers
each of whom requires centralised carrier management of the physical network while retaining con-
trol over the security of their traffic. For convenience we will refer to these as customers A, B, and C.
To emphasise the flexibility of the system we will consider the management of two similar customer
topologies and a third less complex one.
The 'isolated mode' of operation of the Senetas CV1000, CN6000 and CN9000 series encryptors
allows SNMPv3 management via either the front panel primary or auxiliary port. The only difference
in the capabilities of these is that the auxiliary port cannot be configured to provision NTP time serv-
ers. This difference usually determines port assignment, and as security is a customer responsibility
the primary port is normally assigned to the customer and the auxiliary port to the carrier.

Encryptor selection
Both the CN6000 and CN9000 series encryptors provide the front panel auxiliary port so either can
be used with isolated mode. The speed requirements of the network being encrypted will usually
determine the required model.

Carrier connections
The topology of the network will determine how the connections are made from the carrier NOC to
the customer premises. As the network is being provided by the carrier it is likely that as part of the
installation the appropriate NTUs will be made available at the customer site(s). The encryptors are
equipped with RJ45 Ethernet ports and standard CAT5 cabling is used.

Port IP addresses
When operating in isolated mode there are no restrictions placed on the IP addresses that can be
used for the primary and auxiliary ports and they are therefore assigned according to the schemes of
the management networks.

20 SafeNet Virtualised Encryptor CV1000

 Customer A

Customer A
Customer A as shown in the following figure has three sites, each with a CN6000 series encryptor,
these being interconnected over a layer 2 'cloud'. The customers management connection is to the
primary port at site A3 while the carrier management is via the NTU and the auxiliary port on the
same unit. The choice of which port is used by which organisation is made based on the require-
ment for NTP, OCSP or CRL as these are only configurable for the primary port.

Encryptor configuration
To facilitate isolated operation the auxiliary port must be enabled using the IP -a isolated CLI com-
mand and then both the auxiliary and primary ports should be configured as follows.

Since the auxiliary port will be used by the carrier for inband IPv4 management then the following
commands must be executed:

IP -s 5 <IPaddress>/<prefix> <gwAddress> to assign the carriers IP address to the

auxiliary port
IP -g -e to enable carrier inband management of the remote encryptor.

To provision the primary port for customer inband management the following commands are
required:

IP -s 1 <IPaddress>/<prefix> <gawAddress> to assign the customers IP address to

the primary port
IP -s 3 <inbandIPaddress>/<prefix> <0.0.0.0> to assign the inband IP address to the
encryptor

When using inband management the ports of the remote encryptors are usually disabled using the
following CLI commands on those encryptors:

IP -d 1 for the primary port

IP -d 3 for the auxiliary port

Depending upon where the encryptors SNMP traps are to be sent the snmptraps trapAddress CLI
command should be used to specify each of the trap addresses. This command has A appended to
specify the auxiliary port and both ports can be configured.

SafeNet Virtualised Encryptor CV1000 21

Customer A

The destination address(es) for Syslog messages can also be specified using the systlog -a
address command and as with SNMP traps the A suffix is used for the auxiliary port and both ports
can be configured.
Note that NTP, OCSP and CRL servers can also be configured on the primary (front) panel port
using the applicable CLI commands.

22 SafeNet Virtualised Encryptor CV1000

 Customer B

Customer B
Customer B as shown in the following figure has three sites, each with a CN6000 series encryptor,
these being interconnected over a layer 2 'cloud'. The customers management connection is to the
primary port at site B3 while the carrier management is via the NTU and auxiliary port on the same
unit. Again as with customer A, the choice of which port is used by which organisation is made
based on the NTP, OCSP and CRL requirements and we will assume the customer utilises the
primary port.

Encryptor configuration
Customer B has almost identical management requirements as customer A. Note that in practice the
decision as to which IP addresses are used, the assignment of ports, the use of inband or out of
band management, and the destination addresses for traps and messages are based on customer
and carrier requirements. When configured in isolated mode the IP addresses used for the primary
and auxiliary ports can be the same which means that both the carrier and customer are able to pro-
vision the units in line with their networks requirements.

SafeNet Virtualised Encryptor CV1000 23

Customer C

Customer C
Customer C has two sites and the carrier management of both encryptors is via a connection to the
NTU and auxiliary port at site C1. The customer manages both units inband via the primary port of
the encryptor at site C2.

Encryptor configuration
The requirements for customer C are similar to the larger customer A and B sites. The two sites are
connected via a dedicated layer 2 link, possibly dark fibre, and both the customer and carrier man-
age the units inband,
The carrier connection is via their network and the NTU to the auxiliary port of encryptor C1 and the
customer connects directly to encryptor C2 via its primary port.

24 SafeNet Virtualised Encryptor CV1000

 Frequently Asked Questions

Frequently Asked Questions

The following list of FAQ's should provide answers to most if not all of the questions that may arise
during the installation and commissioning of Senetas encryptors within carrier networks.

Who performs installation?

Installation is normally performed by the carrier with handover to the customer who takes respons-
ibility for activation, certification and the creation of customer and carrier accounts.

How many user accounts can exist?

Each unit can have up to 32 user accounts. Some of these will be Customer accounts, others will be
Carrier accounts. Only Customer accounts should be given administrative privileges.

What is activation?
Activation is the process that creates the secure administrative customer account.

How are encryption keys managed?

Encryption keys are automatically managed by the encryptors. They are secure and cannot be
viewed from outside the tamper proof environment.

What is a 'carrier account'?

Carrier accounts are the accounts created by the customer for the carrier. They are used to mange
the network attributes of the encryptor. They cannot access the security context.

What is a 'customer account'?

Customer accounts are the accounts initially created to configure and subsequently manage the
security aspects of the encryptor. They are not assigned to carrier personnel.

Who are users?

Users are all of these assigned accounts.

Who can access keys?

The encryption keys are held internally and cannot be accessed by anyone.

What are SNMP traps?

SNMP traps are trap messages generated by the encryptor and sent to SNMP trap receivers estab-
lished by the customer.

What is a Syslog
A Syslog is a centralised server that can receive Event and Audit messages from the encryptor. They
are configured by the customer.

What are NTP servers?

NTP or 'time servers' are network components that provide accurate date/time services. They can be
configured within encryptors.

What are user credentials

User credentials include the users identifying name and password. They can only be created by an
administrative account.

SafeNet Virtualised Encryptor CV1000 25

Frequently Asked Questions

What is 'isolated mode'?

Isolated mode is the mode of operation that provides complete isolation between the Customer and
carrier management ports.

What is 'Discovery'?
Discovery is the process used by CM7 to locate encryptors so that they can be activated, signed, and
managed. It is a one-off process.

What are IP addresses?

IP addresses are the standard IPv4 (or IPv6) addresses assigned to the encryptor management
ports which allow them to be discovered and managed.

26 SafeNet Virtualised Encryptor CV1000

 Frequently Asked Questions

Encryption overview
Senetas encryptors are shipped in a ‘factory default’ state which requires that they be physically
installed and configured to meet the security requirements of the target network. The installation pro-
cesses are described in chapters for each model.
Following installation each encryptor must be commissioned and configured. The commissioning
process is described in this document while configuration is described in the appropriate protocol
document. The difference between ‘commissioning’ and ‘configuration’ is that the former establishes
the encryptor as a secure device within the target network and the latter ensures that the encryptor
will operate according to the network's protocol, speed etc.
A prerequisite to commissioning an encryptor is that you are able to connect to it using one of the
Senetas management software packages. This requires that the unit be assigned a management IP
address so that the unit can be ‘discovered’ as described in the installation procedures.

Platform Overview
This chapter provides details of the platform.
See "NFV Encryptor Introduction" on page 28

SafeNet Virtualised Encryptor CV1000 27

NFV Encryptor Introduction
The CV1000 Senetas Virtualised Encryptor provides software based data encryption compatible
with the Senetas hardware based encryption platforms. It interoperates with these hardware devices
and can be managed using the CM7 management system.
The CV1000 allows for a range of powerful deployment scenarios including production, training,
demonstration, and the evaluation of the Senetas encryptor range.
The throughput of networks including virtual encryptors is dependant upon the performance of the
host systems. Senetas recommends that the host systems be sized appropriately.
This document outline a range of VM's and software tools which, when used in conjunction with the
CV1000, provides for a flexible and highly configurable network environment.

Note:
Virtual machines utilise random MAC addresses. It is critical to re-initialise MAC addresses
on every VM clone operation across ALL virtual machines within the broadcast domain in
use. Failure to observe this requirement may result in incorrect operation and connection
instability.
.

CV1000 description
The CV1000 supports DPDK configurations which provide improved scaling over non-DPDK sys-
tems as they can utilise all of the available CPU cores. Non-DPDK systems are not supported.
The CV1000 encryptor presents as a virtual machine (VM) equipped with paravirtualised NICs that
provide connectivity for management and the un-encrypted and encrypted networks.
The NICs are:

eth0, management port

eth1, local port (LAN)
eth2, network port (WAN)
eth3, aux management port (optional)

The VM is shipped as either a '.vmdk' flat file for native ESXi hosts, or 'vmdk Vcentre/Workstation
VMWare/VirtualBox image or a '.qcow2' QEMU/KVM image. Upgrade images (.img) for existing
instances are also available. Upgrades are performed in a similar fashion as the hardware devices
(via CM7/FTP).

In secure mode, a transmitting encryptor may encode a shim onto the outgoing network port, and a
receiving encryptor will in turn decode the shim and remove it. In line mode this is controlled by the
"shim" rate setting, which defaults to 16 (i.e. insert a shim every 16 packets). In MAC multicast and
broadcast modes, and VLAN mode, the shim rate is hard coded to 1 (i.e. every packet has a shim).
This implicit behaviour puts a restriction on the size of packets that can be received on the local port
of an encryptor – there has to be enough room to insert a shim. The shim size is typically 8 octets,
however in TIM mode, the worst case shim size is 12 octets, and if a packet and shim exceed the
MTU, it will be dropped. Thus the general guidance is to reduce the MTU size of the device con-
nected to the encryptor's local port by 8 or if running in TIM mode, 12.
The CV1000 supports jumbo frames and the devices MTU should be set to 9600 - 8, that is 9592, or
if in TIM mode, 9588.
These settings will allow a shim to be added to a packet presented to the local port without exceed-
ing the MTU size.

SafeNet Virtualised Encryptor CV1000 28

No network is perfect, even hypervisor internal networks, and some crypto modes are very sensitive
to dropped packets – namely CTR mode. This is generally not a problem in MAC multicast and
broadcast modes or VLAN modes because these modes shim every packet with crypto mode inform-
ation. However, Point-to-Point (Line) mode defaults to a shim rate of 16, which means that a dropped
packet will cause all subsequent frames to be corrupted until the next shim is received. These pack-
ets may be dropped, and either way will require re-submission, which can drastically impact through-
put. Thus the general guidance is that if you use CTR crypto mode, use a shim rate of 1, either
explicitly in Point-to-Point (Line) mode, or implicitly in MAC and VLAN modes.

29 SafeNet Virtualised Encryptor CV1000

System requirements
The performance of the CV1000 is dependant upon the virtualised environment into which it is
installed and the capabilities of the hypervisor. The minimum and recommended requirements are
as follows:

Item Delta DPDK based

Minimum CPUs 3
Recommended CPUs 4
< D7330 1 Gb
RAM
>= D7330 2 Gb
IDE Disk 2
The 'Delta' is available from CM7 system pane

Guest OS and network drivers

The guest OS is Debian Stretch (9), and the network adapters required by the hypervisor is as fol-
lows:

Paravirtualised Net-
Hypervisor Interfaces
work adaptor
Eth0 - management port
KVM Virtio-net
Eth1 - local port (LAN)
Eth2 - network port (WAN)
VMware Vmxnet3
Eth3 - auxiliary port (optional)

Performance Tuning
The performance of a system is determined by a number of factors and the following should be con-
sidered.

CPU pinning and encryptor function

The network cards (NICs) that have been configured

Version compatibility
Interoperability is assured above the following deltas and earlier versions may not operate in a
mixed environment.

Delta Description
Key format changed for TIM mode
> D7933 Added sender_ID to the original key hash computation, mak-
ing each keys key unique
Group Key Elliptic curve protocol change breaks backward
> D8002
compatibility

SafeNet Virtualised Encryptor CV1000 30

Management interfaces
Encryptors can be managed via the virtual NIC management port (using SNMPv3), the VM console
port (using CLI commands) or inband (using SNMPv3).

Management port statistics

The following table shows the management port statistics that are available using either SNMPv3 or
the CLI.

Table 3. Management Port statistics

Ethernet Meaning
MAC Address MAC address of the encryptors management port
Operating Mode The current mode the encryptor is operating in
Current Link Rate Encryptor link rate
Configured Link Rate User specified speed negotiation
Partner Link Rate Management link rate
IP Meaning
Packets In Number of IP packets received by the encryptor
Packets Out Number of IP packets sent by the encryptor
Header Errors Number of Header errors in IP packets
Address Errors Number of address errors in IP packets
Discards Number of IP packets discarded
ICMP Meaning
Messages In Internet Control messages received on the management port
Messages Out Internet Control messages sent by the management port
Errors Count of errors detected in ICMP messages
UDP Actions
Datagrams In Number of UDP datagrams  received by the encryptor
Datagrams Out Number of UDP datagrams  sent by the encryptor
Errors Number of errors in UDP datagrams

Local port statistics

The statistics listed below are accessed using CM7 or the CLI.

31 SafeNet Virtualised Encryptor CV1000

Table 4. Local interface statistics
Received Data Meaning
Corrupted Frames Count of received frames corrupted due to internal processing
Count of frames received after an minimum interframe gap viol-
Interframe Gap Errors
ation.
Octet Count Count of characters received
Frame Count Count of frames received
FCS Errored frames The number of received frames that had an FCS error
PCS Errored Frames The number of received frames that had data errors
Undersized Frames Count of received frames that were less than 64 characters
Oversized Frames Count of received frames that were over 1536 characters
Discarded Frames Count of received frames discarded due to Policy settings
PCS Sync State Current state of local port communications
Transmitted Data Meaning
Octet Count Count of characters sent
Frame Count Count of frames sent
FCS Errored Frames Number of sent frames with FCS errors

Network port statistics

The statistics listed below are accessed using CM7 or the CLI.

Table 5. Network interface statistics

Received Data Meaning
Corrupted Frames Count of received frames corrupted due to internal processing
Count of frames received after an minimum interframe gap viol-
Interframe Gap Errors
ation IFG
Octet Count Count of received characters
Frame Count Count of received frames
FCS Errored frames The number of received frames that had an FCS error
PCS Errored Frames The number of received frames that had data errors
Undersized Frames Count of received frames that were less then 64 characters
Oversized Frames Count of received frames that were over 1536 characters
Discarded Frames Count of received frames discarded due to Policy settings
PCS Sync State Current state of network communications
Manage Octet Count Count of management characters received
Manage Frame Count Count of management frames received
Manage Drop Frames Count of management frames dropped due to internal processes
Transmitted Data Meaning
Octet Count Count of characters sent
Frame Count Count of frames sent
FCS Errored Frames Number of sent frames with FCS errors
Manage Octet Count Number of management characters sent
Manage Frame Count Number of management frames sent

Interface notes
The minimum receivable IFG without dropping the subsequent frame is defined as;
- 64 bit times for 1Gbs operation

SafeNet Virtualised Encryptor CV1000 32

- 40 bit times for 10Gbs operation
- 8 bit times for 100Gbs operation
Frames received below the stated values will cause the Interframe Gap Errors Count to increment.
These frames are dropped and are not included in the Rx Discard statistic.

33 SafeNet Virtualised Encryptor CV1000

Commissioning
The commissioning steps, described in more detail on the following pages, include:
o Setting the encryptors IP address so that CM7 can be used to perform the following steps.
o setting the encryptors Name and Date/Time
o activation using CM7, which is preferred if CM6 has not been used previously as the current
release of CM7 supports all of the required encryptor models.

For new installations, Senetas recommends the X.509/V3 approach described in the last two steps.

Default credentials
The encryptor is shipped from manufacturing with a single administration account that has
an account name of ‘admin’ and a password of ‘$Password1’.
These credentials must be changed so that a knowledgeable user cannot access the unit.
The default credentials are reset whenever the unit is erased or the tamper mechanism is
triggered.

Setting the IP address

An encryptor requires a valid static IP address before CM7 can manage it via the management port
or remotely via inband management. DHCP is not supported as it poses a potential security risk. The
IP address can be set via the CLI or if an address has already been assigned, the encryptor can be
‘discovered’ and the IP address changed as described below.
Both IPv4 and IPv6 addresses are supported on the Ethernet management port.
The management IP address can be set and changed from:
l The Command Line Interface (CLI)
l From CM7 (once an initial address has been assigned).
If the encryptor already has an IP address assigned you can use CM7 to change the address as
described in the sections that follow.

Note
Keep in mind that connectivity to virtual encryptors depends on the environment. While vir-
tual rather than physical connections are used in the descriptions that follow no distinction is
made between these.

Set the IP address through the CLI

Logon to the CLI using the default account (user name: admin, password: $Password1)
Use the ip command to set the address as described on page 148.

Note
The management IP address is not visible from the networks connected to an encryptors
Local or Network ports. The IP address is only used for local management via the
encryptor's management port.

SafeNet Virtualised Encryptor CV1000 34

Set the IP address from CM7
The encryptor's IP address can be changed from the Network Addressing menu item of the selected
unit. See "Network addresses" on page 87

Note:
Factory shipped encryptors may already be configured with an IP address. If so, this needs
to be reconfigured with a valid IP address for your network. CM7 can be used to do this.

Note:
Address changes take effect immediately; there is no need to restart the encryptor. Assum-
ing SNMP access is available, subsequent IP changes can also be made remotely.

35 SafeNet Virtualised Encryptor CV1000

Setting Name and Date/Time
The encryptor has an internal battery-backed Real Time Clock (RTC) which does not start running
until the time and date are configured.
The time must be set using 24 hour notation. Prior to firmware version 2.4, time zones were not sup-
ported and all encryptors must be set to a common reference time.
The date and time can be set using the CLI, or with CM7. CM7 is the preferred option as it ensures
that subsequent certification times do not precede the encryptors ‘Not Before’ time.
The timezone for each encryptor can be set with the CLI timezone command as described on page
168, or using CM7.

Setting the encryptor name from CM7

The encryptor's name can be changed from the Overview menu item of the selected encryptor. See
Figure 39 on page 83

Setting Date and time via the CLI

Logon to the CLI using the default account (user name: admin, password: $Password1)
Use the DATE command to set the date and time. See 'date' on page 140 for details.

Setting Date and time from CM7

The date and time can be set using the Date/Time option as described on page 85

Source of Date/time
Each encryptor uses its real time clock to maintain an accurate date and time.
The date/time value can be set from CM7.
Optionally an external time (NTP) server can be configured so that date and time are auto-
matically established.

SafeNet Virtualised Encryptor CV1000 36

Activation
The activation process is used to change the credentials of the default administration account from
admin/$Password1 to those used to secure the unit. The process requires a user who is logged on
to the ‘admin’ account and an operator at the encryptor.

Activating encryptors with CM7

The activation steps are describe on page 69

Activating encryptors from the CLI

Where supported by the firmware, encryptors can be activated from the CLI using the activate -l
command as described on page 136

Feature introduction
Firmware releases add to the features of each encryptor. Refer to the release notes for version v5.1.x
for details..

User defined entropy

Senetas encryptors utilise one or more noise/entropy sources to provide robust, FIPS approved
entropy for the purposes of generating all key material within the device. The NIST800-90A/B/C
standards have been implemented and the solution certified to FIPS140-2 Level 3.
In version 2.7.0 of the firmware, a facility to completely replace the entropy source with a user
defined entropy pool was added. To utilise this facility, FIPS mode must be disabled and then
entropy enabled either via CM7 or the CLI.
When entropy is enabled an entropy (.ent) file can be loaded using the same procedure as a firm-
ware update; however, a reboot is not required. The entropy file is consumed verbatim for key use,
with no other mixing and no qualitative testing applied. This has a twofold benefit for customers:

Firstly, the entropy pool is not polluted in any fashion with internal processing which
provides an assurance that the key material is based solely on the entropy pool data.
Secondly, for the purposes of AES assurance testing, “known” entropy can be used to
facilitate black box testing by the end user. The test entropy pool can be readily
erased or overwritten on the completion of any test cycle.

The entropy file includes an SHA256 signature which is verified during file loading and process
start-up. If verification fails or the entropy pool be exhausted, the encryptor will failback to the stand-
ard internal hardware-based entropy sources without operational impact.
Reloading the entropy pool removes any existing data and restarts consumption.

Preparing the .ent file

The following Linux example gives the required steps to construct an entropy file for the purposes of
uploading to an encryption device. Maximum file size is 10 Mb.

head –c 10M /dev/random* > ent.bin

sha256sum ent.bin > ent.sha2
tar –zcvf <filename>.ent ent.bin ent.sha2

*Illustrative only - select a source as required by the customer.

37 SafeNet Virtualised Encryptor CV1000

Monitoring
Once the update is complete, the user should check the event log and verify the SHA256 checksum
matches that which was loaded.
With entropy pool enabled, pool statistics are available via CM7 or the CLI. These statistics are
provided in the following table.

Table 6. Entropy statistics

Parameter Description
Entropy pool Enabled
Size (bytes) Total size of entropy file
Bytes remaining Remaining bytes before exhaustion
Bytes used Bytes consumed to date
Percent used Percent exhausted
Based on current consumption rate over pre-
Estimated days remaining vious days (7 day rolling window) - allow 24
hours for initial calculation

Alarms are generated when consumption reaches 80, 85, 90, 95 and 100% consumption of the pool.

Expected consumption
The entropy pool consumption rate will vary based an operational mode(s) and the number of secur-
ity connections configured at any particular time. Consumption may also be increased temporarily
on session establishment errors such as connectivity issues within the network or incorrect encryptor
configuration (i.e. different crypto modes at either end of a connection).
l In VLAN mode (RSA 2048 or EC) a single connection with 60-minute key updates, the ses-
sion master will exhaust a 10 Mb entropy file in approximately 37.4 years.
l In MAC mode (line or mesh) using RSA 2048 a single connection with 60-minute key
updates will exhaust a 10 Mb entropy file in approximately 7.9 years.
l In MAC mode (line or mesh) using EC P-521 a single connection with 60-minute key updates
will exhaust a 10 Mb entropy file in approximately 4.3 years.

SafeNet Virtualised Encryptor CV1000 38

 Figure 5 Entropy consumption

39 SafeNet Virtualised Encryptor CV1000

 Section 3 - Protocol encryption

Section 3 - Protocol encryption

This section describes the configuration and processing for each protocol.

Ethernet encryption 40
Transport Independent (TIM) Mode 42

Ethernet encryption
This document provides detail of the manner in which Ethernet traffic can be encrypted using Sen-
etas encryptors. This document describes the basic operation of the Ethernet encryptors and the nor-
mal or preferred mode of operation.
The options and features available are determined by the encryptor model, the firmware version and
the type of accreditation and these constraints are highlighted where appropriate.

Basic operation
The Ethernet encryptor provides layer 2 security services by encrypting the contents of data frames
travelling across Ethernet networks. The encryptor encrypts data between a local (protected) net-
work and a remote (protected) network across the public (unprotected) network. An encryptor is
paired with one or more remote Ethernet encryptors to provide secure data transfer over encrypted
connections as shown in Figure 6 below.

D_21104

Figure 6 Ethernet network topology

An encryptors Ethernet receiver accepts frames on its ingress port; valid frames are classified accord-
ing to the frames header then processed according to the encryptor's configured policy.
The available policy actions are:
l Encrypt – payload of frame is encrypted according to policy
l Discard – drop the frame, no portion is transmitted
l Bypass  – transmit the frame without alteration
When an encryptor is in Encrypt or Bypass it recalculates and appends a Frame Check Sequence
(FCS) to each frame that is transmitted.

SafeNet Virtualised Encryptor CV1000 40

Section 3 - Protocol encryption

Policy
Ethernet encryption policy provides fine control over how Ethernet frames are pro-
cessed as they pass through the encryptor.

Operation within networks

The Senetas Ethernet encryptor requires very little re-configuration prior to being installed within the
network that is to be secured.

Ethernet encryptors can be managed by the Senetas CM7 management system or via the Command
Line Interface (CLI).

The Operation mode of the encryptor can be configured to place it in one of three states: Discard to
prevent the flow of traffic, Bypass so that all traffic flows unencrypted, or Secure (Encrypt All) so that
traffic is encrypted subject to policy settings. When the encryptor is shipped it is in Discard mode.
Bypass mode is usually only used during initial setup or for troubleshooting.

41 SafeNet Virtualised Encryptor CV1000

 Section 3 - Protocol encryption

Transport Independent (TIM) Mode

Transport Independent Mode (TIM) is a mode that allows traffic encryption at layers 2, 3 and 4 of the
OSI model.
When in TIM mode ‘key provider’ model is used for encryptor key management which is decoupled
from the underlying network. In this model encryption keys are not distributed between encryptors
across the layer 2 network.
When in modes other than TIM, encryptors securely distribute keys between themselves across a
Layer 2 network using certificate based authentication.

Key Provider model

The ‘key provider’ model is an abstracted service interface whose purpose is to ensure that encryp-
tion keys are securely generated, synchronised and updated between encryptors independently of
the underlying WAN.
The model is extensible and the functionality depends upon the version number. For the products
included in this document the available plugin key providers are:

Key Derivation Function

External KMIP key server

The KeyProvider option can be configured using the CLI ‘keyprovider’ command.

CV1000_A>keyprovider

Key Provider mode is : Key Derivation Function

CV1000_A>

Each key provider generates and manages keys in a different way, for example:
l Key Derivation Function - the next iteration of the KDF returns the key
l Key Server - issuing a GET command to an external Key Server returns the key

Key Derivation Function

A key derivation function (KDF) is a method of deriving multiple encryption keys from an initial secret
key using a pseudo-random function.
When operating in TIM mode, the KDF option provides NIST approved encryption keys as specified
in Special Publication 800-108:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf

The KDF operates in counter mode using a Keyed-Hash Message Authentication Code (HMAC):

SafeNet Virtualised Encryptor CV1000 42

Section 3 - Protocol encryption

The KDF takes as input a Key Derivation Key, an incrementing counter and fixed input data. The out-
put from the KDF is called the derived keying material and it can be used directly as symmetric
encryption keys.
A KDF is considered secure because:
l The output from any one iteration is indistinguishable from truly random data
l The KDF provides key separation meaning that the compromise of any one derived key does
not degrade the security strength of any prior or future derived keys

The KDF provider serves as the default mode, implementing a FIPS approved key derivation func-
tion based on a manual or automatic key distribution model (MKD/AKD). There is no requirement for
a centralised key server in this mode of operation.
The Key Derivation Key (KDK) must be derived from a Cryptographically Secure PRNG (for example
the PRNG used in a CN series hardware appliance) and kept secret. The overall security of a KDF
depends on the securely generating and sharing the KDK.
Each encryptor in a network must use the same KDK which can be generated on one encryptor and
manually loaded into others via the CLI (using the ‘kdf’ command) or over SNMP using, for example,
CM7 KMIP Key server.

CV1000_A>kdf -g

This will destroy the current Key derivation key.

and install a new one. It will be displayed once for distribution.
Do you wish to continue (y/n) ?y

Key Derivation Key:

bd6db004257ca63c1b8a0d42a051485fa859c0fbf7f463c07d47c2961ad377dd
HASH:
9a7c80afa55d9d8550a4498961cf3c9b172210bf63897b60e0560fc818acba294
CV1000_A

Each iteration of the KDF produces a 256 bit output key that is used directly as a Data Encryption
Key.
Incrementing counter: The encryptors use a counter input to the KDF that is equal to the number of
hours that have elapsed since the Unix datum: 00:00:00 1 January 1970

43 SafeNet Virtualised Encryptor CV1000

 Section 3 - Protocol encryption

Encryptors must therefore be synchronised to a common time reference to ensure that they are using
the same counter value (i.e. key) at all times.
It is recommended that the encryptors are configured to use a common NTP server to achieve this
(see user manual for instructions on NTP configuration).
Fixed Input Data: The fixed input data to the KDF is required by the NIST standard and uses a
unique per entity (encryptor) context string to ensure that each encryptor is generating unique
encryption keys to encrypt their egress data.

KMIP key servers

The Key Server provider option relies on an external 3rd party Key Management Service (KMS) as
shown below.
A KMS is a service where encryption keys are created and managed for example SafeNet KeySe-
cure: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
KeySecure is available as a FIPS certified hardware appliance with tamper protection or as a virtual
machine.

Encryption keys are generated, stored and distributed from the centralised key server and therefore
must be reachable by all encryptors in the network.
Key management messaging occurs ONLY between individual encryptors and the central key server

Note: This models provides isolation of the control plane from the data plane and
allows for transport independent encryption

Key server mode relies on an authoritative time source to ensure key synchronisation between
encryptors. Therefore as for the KDF provider, NTP support required in the network.
Encryptors communicate with the key server over an authenticated TLS session using the standards
based Key Management Interoperability Protocol (KMIP) or a similar protocol (e.g. Gemalto’s NAE).
Data encryption keys are generated in the key server on request by each encryptor using KMIP com-
mands
l Generated keys are uniquely named using the requesting encryptors SID to identify them
e.g. SID_DEK_0

SafeNet Virtualised Encryptor CV1000 44

Section 3 - Protocol encryption

l The keys are retained in the key server and can be read on demand at any time by any
encryptor when required to decrypt traffic

Traffic encryption
In TIM mode data can be encrypted with confidentiality only (using CTR mode) or with confidentiality
and authentication using, GCM mode.
All Data Encryption Keys (DEK) are AES-256 keys and encrypted frames are shimmed.
Each encryptor must be configured with a unique Sender ID which is sent in the encrypted frames
and used to identify the originating encryptor.
l The encryptor SID is configurable via the CLI SNMP command or via another configuration
method if supported (e.g. cloud-init)

Egress Flow (Encryption Local -> Network port)

In TIM mode each encryptor has a single transmitter key and all secure traffic is encrypted using that
key. The Data Encryption Key (DEK) is unique per encryptor and used to encrypt data in the egress
direction, this key is called the egress DEK.
l Note: Future implementations may support multiple egress DEKs per transmitter e.g. a sep-
arate DEK per VLAN or IP subnet for example.

Ingress Flow (Decryption Network -> Local port)

When an encryptor receives an encrypted frame it must identify the key required to decrypt it.
The receiver uses the SID and Key Bank in the encrypted frame’s shim to identify the decryption key
to use.
If the receiver doesn’t yet have keys for the received SID it will request them from the key provider
which will retrieve the keys using a provider specific mechanism (e.g. using KDF internally or
requesting them from the external key server).
A receiver must store two keys plus a salt for every peer encryptor that it communicates with.
l Note: the exact number of peers supported in TIM mode depends on the encryptor model.

TIM policy
The encryption policy used when operating in TIM mode has similarities to those applicable in VLAN
mode, with the extensions required for layer 3 and 4 traffic.
In TIM mode the default is to bypass all traffic except IPv4 unicast, with further lookups based on the
IPv4/6 addresses and ports.

Ethertype Table
Based on the topology of the network, review the ethertypes policy table and 'bypass reserved mul-
ticast' setting. The default in TIM mode is to bypass all traffic except IPv4 unicast which is then further
defined using the Iprules table
NB: When placed into TIM mode, the sender ID is randomly set and should be unique within the net-
work. The sender ID is also used as the Key ID when running in TIM mode, and these terms may be
used interchangeably.

Iprules Table
The iprules table further defines IPv4/IPv6 policy lookups based on IP address, IP next protocol
fields and TCP/UDP port numbers. These rules are established using the iprules CLI command

45 SafeNet Virtualised Encryptor CV1000

 Section 3 - Protocol encryption

The IP address search is based on a longest prefix match (LPM), and several sub-netted entries may
be required to fully prescribe policy.

Iprules (egress) encrypt datapath

The iprules command matches destination IP address and destination TCP/UDP port.
Actions cl2, cl3, cl4 instructs the policy where to insert the shim, as per ETN-0042 (frame formats)
and ETN-0022 (shim formats) and causes the policy to follow the CI action. When the action equals
bypass it causes the frame to be bypassed irrespective of the CI Action. When the action equals dis-
card it causes the frame to be discarded irrespective of the CI Action. If no iprule is matched then the
default iprule action is followed (discard/bypass).

Iprules (ingress) decrypt datapath

The decryption is based on the shim location in the incoming packet. Once a shim is located in the
packet, the CI action is looked up and if it’s set to secure, then the packet is decrypted based on
whether the packet is shimmed at Layer 2, 3 or 4. Otherwise, if the CI action is set to Bypass or Dis-
card, then the same is followed.
If there is no shim in a packet, then the following applies:
The iprules command matches source IP address and source TCP/UDP port.
Actions cl2, cl3, cl4 or Discard causes the frame to be discarded irrespective of the ci action. When
the action equals bypass it causes the frame to be bypassed irrespective of the CI Action. If no iprule
is matched then the default iprule action is followed (discard/bypass).

Specifying IP rules
Wildcards (*) are only accepted for the protocol and port fields (not IP address and subnet mask).
If the port number is specified then the protocol field must also be specified as UDP (17) or TCP (6).
i.e. a wildcard cannot be used for the protocol field in this scenario. Effectively, the port number is
only valid for TCP and UDP protocols. If they are specified for any other protocol, iprule addition
shall fail with an audit log generated.
AUDIT - IP rules configuration : Invalid Iprule specified
Layer 4 encryption (cl4) is only applicable for TCP and UDP. So if cl4 is specified in the iprule, and
protocol is not TCP or UDP then the iprule addition shall fail with the same audit log as above.

Defining rules for unspecified addresses

Encrypt datapath: Define the default action if no rules are matched.
Decrypt datapath: Define the default action if no shim is present and no rules are matched.
The action specified by –u switch applies to all packets that don’t match any of the rules specified in
the iprules table. So in the encrypt direction, if the destination IP address in a packet doesn’t match
an iprule, then the default action is applied to the corresponding packet.
If the global mode action = encrypt, and the Ethertype action outcome is encrypt L3/L4 then the
iprules feature comes into effect. If there is no match (i.e. unlisted) in the IP rules table, then the
action defined by this command is followed.
Valid settings are; {Discard, Bypass, Encrypt_L2, Encrypt_L3, Encrypt_L4}. Encrypt_L2, Encrypt_L3
and Encrypt_L4 require that the CI ACTION is set to secure.
Note 1; if the default action is set to Encrypt_L4 but the user traffic is not UDP or TCP, then the frame
is discarded.
Note 2; if the default action is set to Encrypt_L3 but the user traffic is not IPv4 or IPv6, the frame will
follow the Ethertype table action for that Ethertype (i.e. this action does not apply).

Clearing and/or Deleting rules

SafeNet Virtualised Encryptor CV1000 46

Section 3 - Protocol encryption

The -c command clears all of the rules and the -d <idx> command removes the rule at index position
idx.

Key synchronization
Each DEK is assigned a number, keys are numbered with reference to the number of hours since
the Unix datum and are shown in the connection table.

CI   Origin   Access            State      KID         Key#     RX Frames Tx Frames AuthErr Replay

---- -------- ============= -------------- --------- --------- --------- ------------------ ---------
1001 System  Secure         Up 24814 421804 0 78 0        0
1002 Auto Secure         Up 40430 421856 43 0 0        0

DEKs are updated every hour automatically (the period is non-configurable) and synchronisation is
guaranteed through the use of a common time reference (NTP should therefore be enabled).

All keys are changed synchronously across the network on hour boundaries (since the datum). After
a key update the transmitters generate a replacement DEK and this occurs in a fixed time window
after the key update. To minimise load on external key servers (when used as the key provider) trans-
mitters updates occur randomly across the allotted window.
In a similar manner all receivers must update their keys prior to the next key changeover time and
this is also done randomly across the allotted window as shown above.
Encryptors always maintain two DEKs e.g. SID_DEK_1a and SID_DEK_1b to allow atomic roll-over
of keys without traffic loss
l One DEK will be the current DEK used to encrypt traffic
l The other will be the next DEK to be used when the current DEK expires
l The shim in each encrypted frame contains a Key Bank field which indicates the DEK to be
used for that frame
Regardless of the key provider, the time since datum can be used to calculate the correct key and
this provides a robust
synchronisation mechanism that allows encryptors to leave, join or restart at any time during the key
update period.

Shim formats
Every encrypted frame contains an addition shim. The shim format used when encrypting layer 2
traffic in TIM mode is:

47 SafeNet Virtualised Encryptor CV1000

 Section 3 - Protocol encryption

The shim format used when encrypting layer 3/4 encryption in TIM mode is:

Where:
l SID = 17 bits (allows up to131,072 unique transmitters in a network)
l Key Bank = 1 bit
l FCTR (frame counter) = 38 bits

Both shim formats add an additional 8 bytes overhead to each encrypted frame.
Note: Alternate shim formats are planned in the future to allow key synchronisation for use cases
when NTP may not be available.

Encrypted Frame formats

The encryption policy determines where in the frame the shim is located and which portion of the
frame is encrypted, i.e. at layer 2, 3 or 4 as shown below.

Note: For TCP frames, the SHIM is inserted as a TCP Timestamp option. UDP frames have shim
inserted immediately following the L4 header.
Note: MTU adjustments should be made on LOCAL port connections to the devices to ensure the
encryption SHIM (typically 8 bytes, or 12 for TCP) are catered for and maximum MTU is not
exceeded within the network.

SafeNet Virtualised Encryptor CV1000 48

Section 3 - Protocol encryption

Configuration using the CLI

The following steps are required to configure an encryptor for operation in TIM mode. Note that
encryptors operating in TIM mode do not require certificates to establish trust; this functionality is
provided by the key provider mechanism. Note that other certificates may be used for management
related functions, that is, FTPS, KMIP, HTTPS, etc.

Activation
Activate the device using either local CLI activation, or remote activation using the CM7 man-
agement tool.

NTP setup
The optimal TIM mode of encryption relies on network time synchronisation across all encryption
devices. Ensure at least one NTP server is configured on each encryption platform, and confirm cur-
rent status.

Auto-population
Auto-population is a facility that can be used to automatically create tunnels. It is an alternative to the
auto-discovery or manual tunnel creation methods and must only by enabled (transitioned from dis-
abled to enabled) when auto-discovery is disabled.
When the auto population is enabled the encryptor will delete any existing tunnels and iprules,
reboot, and on start-up automatically populate (create) all tunnels by retrieving the keys from the des-
ignated key provider mechanism. Note if a key provider is set to Key Server (KMIP) the tunnel cre-
ation time may be sub-optimal depending on the key server availability. Note that for the CV product
range with restricted KID range disabled (policy -r -d), the tunnel creation range is limited to 512;.
The encryptor is not effected by disabling auto population..
To remove the auto-populated tunnels the tunnels -d command can be used.
The CLI commands to enable/disable the auto-populate option are:

CV1000_A>autopop -e
and
CV1000_A>autopop -d

The command will reboot the encryptor.

Connection mode
Use the CLI con command to set the mode to TIM.

CV1000_A>con -T

Warning this command will reset all tunnel/CI, MAC

data to their factory defaults and reboot the unit!
do you wish to proceed ? (y/n) y

Are you sure ? (y/n)

As indicated this command will reboot the encryptor.

49 SafeNet Virtualised Encryptor CV1000

 Section 3 - Protocol encryption

Policy
Following the above steps the encryptor can be placed directly into global mode "encrypt", however
you should check that auto-discovery is enabled.

CV1000_A>autodisco -e

Automatic Unicast discovery is enabled

Automatic Multicast/VLAN discovery enabled

CV1000_A>global -e

Global mode set to encrypt

CV1000_A>

Configuration Export
The non-secure configuration parameters of the encryptor can be exported to a text file using the
CM7 menu item
The purpose of this file is to provide a source of information that can be used by both local staff and
support personnel to determine the probable cause of any problems. Note that no security inform-
ation is included in the file.
If you require assistance in diagnosing problems then you should provide support staff with details of
your configuration(s).
CM7 allows you to export the configuration via the 'Export Config' button at the top of the man-
agement pane. You can then post the resulting XML file on the Customer support portal.
.

SafeNet Virtualised Encryptor CV1000 50

 Section 4 - Encryptor management

Section 4 - Encryptor management

This section describes the encryptor management system.

Management systems 51
Managing Encryptors 52
RESTful JSON interface 56
CM7 Network Manager 59
CM7 Navigation 62
KDK Key distribution 75
KeySecure 90
KeySecure tiers 91
User account management 107
Defining user accounts 107
Administrator access 108
Configuring CM7 110
KDK Key generation 113
Installing CM7 114
Initial configuration settings 117
Moving CM7 to a new PC 119

Management systems
Ethernet encryptors can be managed either via the front panel using SNMPv3 or via the (virtual)
serial port. The management systems supported are as follows:

CM7 network manager

The CM7 network management package can be used with all Ethernet, Fibre Channel and SONET
encryptors.

Command Line Interface

The command line interface provides a means of configuring and monitoring units via a virtual serial
link and terminal emulation package.

Third-party managers
Encryptors are managed via SNMPv3 and therefore third-party managers that use this protocol can
be configured to manage and monitor units. Senetas provides the required MIBs  to support these
modes of operation and can assist with implementation.

SafeNet Virtualised Encryptor CV1000 51

Section 4 - Encryptor management

Managing Encryptors
Encyptors have two management ports; a serial port that allows connection via a command line inter-
face (CLI) and an RJ45 Ethernet port that allows the connection of an SNMPv3 based management
package. For virtual encryptors these are provided by NFV functionality.
Senetas provides PC-based management systems for the CN series of encryptors that address the
needs of a wide range of users. This document describes the methods used to connect to
encryptors, thus providing you with the information required to select a solution that best meets your
needs.
Management connections are used to configure an encryptor and to facilitate the ongoing mon-
itoring of its performance. There are two different methods of device management: a character based
approach using a Command Line Interface (CLI), and a graphical user interface using the SNMP pro-
tocol. These are described in detail in the sections that follow.

CLI management
Encyptors can be managed via a serial port that supports a Command Line Interface (CLI). Details of
the required connection and its configuration are provided in the encryptor's installation manual.
To use the CLI the management system must install a terminal emulator such as Hyperterm, Ter-
aTerm or PUTTY.
The available CLI commands are described in detail in the Command Line Interface section begin-
ning on page 135.

SNMP management
Management via SNMP is based on version 3 of the standard, which has provision for user authen-
tication and ensures privacy of the connection using Diffie-Hellman based encryption. SNMPv3 uses
the UDP connectionless protocol, which can be routed over any layer 3 network.
The way in which CM7 connects to an encryptor is usually dictated by the type of network that is
available. The sections that follow discuss each of the approaches that can be taken and the reas-
ons why they would be selected.
After you have selected the method that best suits your needs, you can refer to the appropriate con-
figuration information in the sections that follow.

Management connections:
Encryptors are managed using a connection to their management ports.
Each encryptor is supplied with cables for both the Serial and Ethernet ports.

A users’ credentials are authenticated before they can access the

Authentication only
encryptor
(authNoPriv)

Authentication and Pri-

vacy SNMP traffic between CM7 and the encryptor is encrypted
(authPriv)

If an encryptor does not respond to the CM7 SNMP request, it may be necessary to cancel and re-
issue it.

52 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

SNMP connections
Virtual connections:
Senetas virtual encryptors use virtualisedconnections rather than physical ones. Since the
operation of hardware and physical encryptors are almost identical, in the sections that fol-
low these connections are described using their physical names.

Encryptors can be managed locally by CM7 via the RJ45 connector on the front panel using Simple
Network Management Protocol version 3 (SNMPv3).
SNMPv3 is an industry standard that addresses the deficiencies in the two earlier versions of the pro-
tocol by adding support for authentication and encryption. SNMPv3 security uses the concept of a
user for which security parameters (levels of security, authentication, privacy protocols, and keys)
are configured for both the agent and the manager. The security model protects against message
delays and message replay by using time indicators and request IDs. Management packets can be
sent with authentication only – authNoPriv - or with both authentication and privacy (encryption) -
authPriv.

UDP protocol:
The UDP protocol is connectionless, which means that the management system issues com-
mands which are never acknowledged by the encryptor.
UDP works well in any network and CM7 can change both the retry and timeout parameters
to accommodate both noise and network delays.

Direct connection to front panel

A direct connection from the system hosting CM7 to the (virtual) RJ45 connector on the front panel is
the simplest means of managing an encryptor. For this to operate, a common subnet is required and
switches are often used to connect to and manage multiple units.
This connection method is suitable for local connections in data centres. The system on which CM7
is running needs to be able to access each encryptor's IP address.

Figure 7 Direct Connect Management

Which connection?
The simplest way of managing an encryptor is via a direct connection to the front panel of a
local unit or via a layer 3 network to remote units.
In some cases an out-of-band connection may not be available and the ‘in-band’ method
may be required.

SafeNet Virtualised Encryptor CV1000 53

Section 4 - Encryptor management

Out-of-band management
If the unit that is to be managed is in a different location then the SNMPv3 traffic can be routed via a
layer 3 network to the encryptor's front panel. Because the SNMPv3 traffic is encrypted the con-
nection is secure.

Figure 8 Out-of-Band Management

In-line management through the encryptors

In this mode of operation the management traffic is inserted into the data being encrypted by the
units and connected back to the physical front panel of the remote unit(s). This method is not recom-
mended as the operational state of the encryptors can impact connectivity. Note - the alternative
'in line bypass' mode can be used for encryptors located within Shortest Path bridging networks.

Figure 9 In-line Management

Third-Party Managers
An existing SNMPv3 manager can be used to manage and/or monitor the encryptors within the net-
work. To support this Senetas makes available copies of the MIBs that define the SNMPv3 traffic that
is used by the units.

MIB availability
For those organisations who wish to access encryptors from within their existing com-
munications management systems, Senetas provides the required MIBs.
The integration of MIBs allows you to both monitor and control units via the secure SNMPv3
management port.

54 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Monitoring:
SNMPv3 is required to manage encryptors; however, SNMPv1 can be used to monitor their
status.
SNMPv1 access can be granted to Individual user accounts to facilitate this.

Routing considerations
All of the management traffic used to configure and/or monitor the state of an encryptor is based on
the SNMPv3 standard using the UDP protocol on port 161.
Each encryptor has a configurable ‘front panel’ Ethernet address which can be defined using the
IPv4 and/or IPv6 format.
Management traffic is routable and therefore, provided that the ‘front panel’ Ethernet connection of a
unit can be accessed, the unit can be managed. As a general rule the accessibility of an encryptor
can be determined by ‘pinging’ its management address.

Address translation, Port forwarding

Encryptors may be located within a subnet that is accessed via a router that applies network address
translation (NAT) to the traffic. In these cases the network may use a single IP address for all units
and differentiate between them via a unique port number. CM7 supports these configurations by
allowing encryptors to be discovered using the unique IP address-Port combination. Refer to page
68 for details of the discovery process.

Figure 10 Address translation

The above example illustrates how two encryptors are accessed via a router at 10.0.34.3 in which
the routing rules provide for translation to the encryptor IP addresses based on the traffic's port num-
ber.

SafeNet Virtualised Encryptor CV1000 55

Section 4 - Encryptor management

RESTful JSON interface

A RESTful HTTP(s) interface is provided for the purposes of remote monitoring and issue detection.
The RESTful interface leverages the existing SNMP MIB interface, providing the ability to walk the
SNMP MIB from any existing OID using its textual representation within a URL parameter.
The RESTful interface access control is controlled via the user console access rights.

Configuration
The RESTful interface can be configured using either the rest CLI command or CM7.

Access with CM7

When using CM7 the area of interest can be determined using either OIDs from either the Senetas
provided MIB files, or those provided by right clicking a control and saving the OIDs to the clipboard.

In the above example the following inventory table OIDs are saved:

56 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

RESTful examples
The following sections provide examples of how the RESTful interface can be used to perform typ-
ical functions.

Alarm monitoring
The OID for the AlarmGroup can be used to show the status of an encryptors alarms. Most tables
provide a count scalar variable for monitoring.

Audit and Event log monitoring

In addition to monitoring Alarms, it may be beneficial to collate/monitoring changes in the audit and
event logs. Centralised remote syslog server configuration is the preferred option to achieve this,
however it is also possible to monitor these logs via the RESTful interface.

SafeNet Virtualised Encryptor CV1000 57

Section 4 - Encryptor management

Connection status
Connection tables are specific to the protocol and operational mode selected. The following
example relates to VLAN mode. In all cases specific focus should be given to the connection status
(in this case gEthVlanConnCiStatus).

Interface status
This allows the status of the links to be examined.

58 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

CM7 Network Manager

CM7 communicates with the encryptor using SNMPv3 commands over an Ethernet connection to the
front panel and it can be used to discover, activate, certify, configure and monitor the unit. As is the
case with other Windows applications, user interaction is based on a Graphical User Interface (GUI)
from which the required operations can be accessed.

Launching and Logging in to CM7

User credentials, which are case sensitive, are held securely within each encryptor and are used to
authenticate your access rights whenever you log onto an encryptor.
Prior to performing any management function it is recommended that you provide your credentials to
CM7. These are entered using the login screen which is displayed whenever you launch the CM7
application.

SafeNet Virtualised Encryptor CV1000 59

Section 4 - Encryptor management

Figure 11 Logon dialogue

The ‘Skip’ option allows login using the default credentials. This option is convenient when initially
activating units.

User Name: admin

Password: $Password1

The user account within an encryptor is identified by the ‘User Name’ and the user’s right to access
the unit is authenticated with the supplied ‘Password’. Privacy refers to the security afforded the
SNMPv3 traffic between CM7 and the encryptor that is being managed. From v5.1 of the firmware,
user names can only contain alphanumeric, underscore, dot and dash characters. All other char-
acters are stripped or discarded.

Note:
By default privacy is enabled and CM7 uses a Diffie-Hellman key exchange to authenticate
the user and ensure privacy by encrypting each SNMPv3 request.

If you have different user account names and/or passwords on each encryptor you will need to log
out and back in every time you want to manage a different unit. It is usually more convenient to use
the same account names and passwords on all encryptors so that they can be managed from a
single CM7 login session.
CM7 keeps the Names and IP addresses of all of the encryptors that have been ‘discovered’ in its
database. These are used to populate the Encryptor selector so that the login process can be as
simple as entering your credentials and selecting the desired unit.

SNMP security level

The default security level setting for CM7 is 'SNMPv3: Authentication, Privacy' which provides a Dif-
fie-Hellman authenticated connection. You can use the settings shown in Figure 12 on the facing
page to change this if required.

60 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 12 SNMP Security level settings

The 'SNMPv1: No Authentication, No privacy' setting is used to provide users with read-only access.
The 'SNMPv3: Authentication, No Privacy' setting is provided to allow operation with encryptors that
feature earlier versions of firmware that do not support the Diffie-Hellman protocol.

Exiting from CM7

The simplest way to exit CM7 is to ‘Close’ the main window.

Figure 13 Exit via Close button

It is also possible to exit from CM7 by clicking on ‘Log out the current SNMP user’ which requires con-
firmation.

Figure 14 Exit via Log out Icon

SafeNet Virtualised Encryptor CV1000 61

Section 4 - Encryptor management

Figure 15 Confirmation dialogue

Or if you are in the user credentials screen (see Figure 11 on page 60) you can just select ‘Exit’.

CM7 Navigation
The layout and features common to most views within CM7 are highlighted below. Note: Some icons
may not be available on all screens. Note also that later versions may include additional functionality
and this illustration is intended for familiarisation only.

Figure 16 CM7 Main Screen

62 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Navigation is performed by clicking, double clicking or right-mouse clicking on the various screen
elements.
Most elements may be opened by single clicking the item (e.g. screen buttons, title bars, title bar but-
tons, icons).

Figure 17 Main navigation functions

Note that from CM7 v7.5.1 onward, additional icons are available for defining a Configuration server.
The related functions which are described below can be called whenever you want to create or
reconfigure the way in which discovered configurations are saved.

Figure 18 Configuration icons

The left most 'New' icon allows you to create new .INI file or configuration database into which you
can save discovered encryptors. The following two screens shows the selection for these.

SafeNet Virtualised Encryptor CV1000 63

Section 4 - Encryptor management

Figure 19 Create a new INI file

You can make the .INI file specific to the current user or allow it to be accessed by any CM7 user.

Figure 20 Create a new Configuration database

The named database is created on the specified server. When 'Create' is clicked the database is cre-
ated and CM7 restarts, allowing the user to specify their Station ID.

The second 'Open' icon allows you to select an existing .INI file or configuration database as the
source of the discovered encryptors

64 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Locating and selecting an existing .INI file loads its encryptors into the discovered list and makes it
the current source of discovered units. If a database is required then the following screen is used.

Figure 21 Select an existing database

Note that the red 'delete' icon next to the Database Name selector can be used to delete databases
that are no longer required.
Clicking the 'browse' button to the right of the 'INI File' selector displays the existing .INI files so that
the desired one can be selected.

Figure 22 Select an existing .INI file

SafeNet Virtualised Encryptor CV1000 65

Section 4 - Encryptor management

The third 'SaveAs' icon allows you to save the current list of discovered encryptors into either an .INI
file or a configuration database. This function is used to transfer encryptors from the current source to
a selected source.

Figure 23 Save current list to a database

If the specified database already exists a warning dialog is displayed so that you can specify
whether it should be overwritten or not.

Figure 24 Database exists warning

66 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Configuring the discovered encryptor list

Right clicking on an encryptor listed within the navigation pane opens up a pop-up menu.

Figure 25 Encryptor functions

The pop-up menu contains the same options as the buttons within that configuration group’s title bar,
these being enabled or disabled depending upon the encryptor's current state.
Open - displays the Management options so that the selected unit can be managed
Open As Group - opens a window which has combined views of all selected encryptors
Activate - selects the Activation screen
Certify - allows the signing of certificates within the selected encryptor (only available if layer 2
modes enabled)
Upgrade - allows the upgrading of the firmware of the selected encryptor
Add Group - add a new group that can be used to logically associate encryptors
Add Saved Setting - adds an encryptor that has been saved as an XML file
Delete - delete the selected unit
Move Up -move the selected unit up within the group
Move Down - move the selected unit down within the group
Move Left - move the selected unit left within the group
Move Right -move the selected unit right within the group

SafeNet Virtualised Encryptor CV1000 67

Section 4 - Encryptor management

CM7 Screen selection

To select a particular function, simply click on the required screen button.

Figure 26 Functional navigation

Discover - allows you to discover encryptors using their IP address. See "Discover screen" on page
68
Activate - allows you to activate encryptors that you have discovered. See "Activate screen" on page
69
Key - allows you to distribute previously defined Key Derivation Keys (KDK's). See "KDK Key dis-
tribution " on page 75
Manage - allows you to manage a selected encryptor. See "Manage screen" on page 79
Upgrade - allows you to upgrade the firmware of a selected encryptor. See "Upgrade screen" on
page 105

Discover screen
Encryptors are discovered by selecting the CM7 Discover function, entering the lowest and highest
management IP addresses to be polled and then starting the discovery process.
The discovered units are displayed so that they can be selected and added to the discovered
encryptor list. If an encryptor is a multi-slot unit then its slots will also be discovered and grouped
after the host unit.

Figure 27 Discover encryptors

The polling period can be increased to allow for network delays and the number of retries can also
be increased should this be necessary in noisy environments.

Configuration servers
CM7 introduced support for 'configuration servers' in version 7.5.1. Configuration servers
provide access to configuration databases into which the discovered encryptors list can be
saved. Having a number of defined configuration databases makes it simple for users to
share access to groups of encryptors in which they have a common interest.

68 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Configuration servers
CM7 currently supports the open 'Redis' configuration server. However this does need to be
installed separately.

Activate screen
When an encryptor is shipped it has default credentials which must be changed prior to configuring
the unit to meet the requirements of the network. This process is referred to as 'activation'.
Note that activation can also be performed using the CLI. See "activate" on page 136
The default credentials comprise a single administration account named ‘admin’ which has a known
password, ‘$Password1'. The credentials will be reset to this ‘factory default’ state if an encryptor is
‘tampered’ or ‘erased’.
When in the factory default (non-activated) state, the facilities for Certification are disabled and the
facility to Activate is enabled. Selecting the Activate function opens the activation screen, which
includes a list of the required steps. These steps are described in more detail below, with the on-
screen step number identified with an [n] reference.
o Instructions are displayed as shown in Figure 28 on the next page.
o The first step is to place the target encryptor in ‘Activate mode’[2]. .
o After the encryptor has been placed in Activate mode, CM7 is used to request a CSR from the
unit; this will be used as a secure medium for transferring the new credentials to the
encryptor.
o The hash of the retrieved CSR is compared to the encryptor's hash[5]. This is a necessary
step to prevent man-in-the-middle attacks.
o The new credentials' which include a valid password (which cannot be $Password1) are
entered [3] and sent to the encryptor [4].
o The hash of the CSR reloaded to the encryptor is now compared by the certifiers to the
updated hash displayed by CM7 [6]. (Again, a necessary step to thwart any attempted man-
in-the-middle attacks.)
o Assuming that the hashes match and the update is acknowledged then the new credentials
are used to login to the activated units or continue to select and activate additional units.

SafeNet Virtualised Encryptor CV1000 69

Section 4 - Encryptor management

Figure 28 Activation dialogue

70 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

KeyVault
CM7 can be used to sign certificates from credentials held within a keyvault. Note that KeyVault is
not supported on multi-slot encryptors. This functionality is accessed using the CM7 Certification but-
ton and then the Certify tab as shown below.

Figure 29 Signing Certificates with KeyVault

The required steps are shown at the top of the screen.

CM7 Licensing screen

When the CM7 licensing screen is selected the instructions and fields shown in Figure 30 on the
next page are displayed. As described in the following sections there are two forms of license avail-
able; licenses that are signed by Senetas, and license that are signed by the and Sentinel licensing
server.

Senetas signed licenses

SafeNet Virtualised Encryptor CV1000 71

Section 4 - Encryptor management

Figure 30 Licence dialogue

Export Licence CSRs - allows the exporting of an encryptor CSR that will be sent to Senetas for
signing. The dialogue is as follows:

72 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 31 Exporting a licence CSR

Import Licence Certificates - allows the loading of a signed licence file to the encryptor. The dia-
logue is as follows:

SafeNet Virtualised Encryptor CV1000 73

Section 4 - Encryptor management

Figure 32 Importing a signed licence

74 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

KDK Key distribution

In order to establish secure connections TIM mode encryptors operating in KDF mode must be pro-
visioned with KDK keys. These keys will have been created within CM7 using the KDK generation
process described on page 113
To initiate key distribution select the 'Key' button at the top left of the screen to display the available
encryptors and the following dialogue.

By default the last KDK key file that was created will be selected, however you can use the browse
button to select any others that may exist.
The assigned Password must be entered to open the file.
If the Key is to be applied immediately then the Install UTC Time selector should be left blank. If the
Key is to be applied at a later specified time then the selector can be used to select the required
Date/Time. The edit button to the right of the selector can be used to clear the selector.

Prior to selecting the Add KDK button, the required encryptors should be selected in the Encryptor
list. Note that the checkbox at the top left can be used to select or clear all of the available TIM mode
units in the list.

SafeNet Virtualised Encryptor CV1000 75

Section 4 - Encryptor management

Following key distribution the display will show a hash of the Current key in use and also if specified
a hash of the key that will be in use following the scheduled update. Note that if the 'UTC Time' field
was left blank the encryptor(s) connections will restart using the new key. If the key generation
defaults are left in place, the displayed hashes can be matched with the KDK key file names to
identify the file used for distribution.

76 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Sentinel licensing
The Sentinel licensing approach requires that CM7 be used to generate a series of lock codes, one
for each selected encryptor, and that these codes be submitted to the license server along with a
Gemalto provided activation code. Prior to running the generator, the 'Export lock codes' function is
used to create a file with all of the lock codes.

Figure 33 Lock code creation

The generator provides batch activation based on the lock codes. Prior to running the generation pro-
cess a registered Sentinel user will obtain an 'Entitlement' from Gemalto which will include the URL
and the Activation code. The generator is run from it's installed location:

SafeNet Virtualised Encryptor CV1000 77

Section 4 - Encryptor management

Figure 34 License Generation

The required fields are:
Sentinel EMS URL - the URL of the license server.
Activation code - the code provided by the licensor that is used by the server to validate and license
the submitted lock codes.
Select LockCodes - a button that opens a dialouge that allows selection of the CM7 generated lock
codes. A count of the codes in the file is displayed.
License File - a button that opens a dialouge that allows the selection of the location the resulting
license file will be placed.
Generate - a button used to submit the lock codes and generate the licenses.

The progress indicators at the bottom of the screen show the completion state of each individual and
all lock codes.
Once the license file has been generated the 'Import RMS License' function is used to import the
licenses and load them into the encryptors.

78 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Manage screen
Selecting the Manage icon and double clicking the desired encryptor within the navigation pane dis-
plays all the available information and configuration items as shown in the following figure(s). The
items can be expanded either individually by selecting them, or all items can be expanded or col-
lapsed using the selectors at the top of the list. The magnifier icon can be used to display an item in
full screen mode. Each of the available options are described in the sections that follow, note how-
ever that depending upon the encryptors current configuration, not all of the listed options may be
apperar.

SafeNet Virtualised Encryptor CV1000 79

Section 4 - Encryptor management

Global configuration settings must be identical on all encryptors within a logically connected net-
work. It is recommended that CM7 encryptor grouping be used so that colour coding can be used to
quickly identify settings that differ.

80 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Management options
Each of the configuration group panes has a header that provides icons related to the details being
displayed. These may differ from pane to pane since not all of them are applicable to all groups.

Figure 35 Configuration options

The 'Pause' button can be used to inhibit or enable the periodic update of the screen. This is useful
when comparing data such as network frame counts, etc.
The 'Refresh' button is used to force an update of the screen data. This can be used to request an
update ahead of the periodic refresh.
The 'Apply' button is used to save any pending changes that you have made to the encryptor. This is
required if those changes are to be retained.
The 'Copy To..' button displays a list of peer encryptors and allows you to select those that you want
to copy this panes settings to. This is used for User accounts, server setup, etc.
The 'Add' button is used to create additional entries in the pane. This applies to all multi-line panes
such as Servers, user accounts, etc.
The 'Delete' button is used to delete selected entries from the pane.

When changes have been made and the Apply button has not been used, a 'Discard' button is also
displayed so that the entry can be cancelled.

Right clicking within a configuration group’s pane displays up a pop-up menu containing the avail-
able options particular to that configuration group.

Figure 36 Group configuration options

Note that the available options in the pop-up menu are the same as the Group Configuration Pane's
icons. If a menu item is disabled then it is not applicable.

SafeNet Virtualised Encryptor CV1000 81

Section 4 - Encryptor management

Figure 37 Common options

When changes have been made to a pane's content the 'Apply' and 'Discard' buttons will remain col-
oured until one of these is selected. If you exit from the management functions without doing this, the
following screen will be displayed to remind you of the pending changes.

Figure 38 Save changes dialogue

Some of the elements that are unique to a particular screen are highlighted within the relevant sec-
tions that follow.
The options displayed can vary depending upon the type of encryptor selected and the 'Hide Not
applicable Setting' option. See "Configuring CM7" on page 110

Front panel mimic

The Front Panel Mimic selector displays in a simplified way the current status of the encryptor's front
panel. While the actual content depends on the model and encryptor type, the content of the LCD dis-
play, and the state of all of the current LEDs is usually included. Note also that the images included
in this manual are representative of the encryptor family.

Where an encryptor has multi-slot capability and a slot is being managed the mimic shows a border
around the selected slot.
The alarm line of the display, adjacent to the Alarm LED, has a character for the state of each slot; !
indicates and unacknowledged alarm, * an acknowledged alarm, and ^ an inactive, unac-
knowledged alarm.

Overview
The Overview selector provides a means of examining and updating encryptor descriptive inform-
ation.

82 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 39 Overview display

Description - shows the encryptor model and protocol.

Contact - allows you to enter contact information such as a responsible person, department and tele-
phone number.
Name - allows you enter or update the name that identifies the encryptor. Note that in version
2.6.0/4.6.0 onward to conform to RFC1035 section 2.3.1, the only special characters allowed are '-'
(hyphen) and '.' (dot) and they must not be in the first or last positions.
This name is different from the one shown as part of the CLI prompt, which is set using the CLI
prompt command described on page 161.
Comment - allows a comment to be entered. This is stored in the encryptor and printed as part of the
configuration details.
Vendor - this field contains a manufacturer generated string.
Firmware - this field displays both the hardware version and the unit's serial number.
Hardware version - as above, the version number identifies the physical encryptor build inform-
ation.
Serial Number - as above, the serial number provides a unique identifier for the encryptor.

Utilization
The Utilisation pane displays graphics that include metrics for the traffic flowing through both the
ingress and egress ports in both directions.

SafeNet Virtualised Encryptor CV1000 83

Section 4 - Encryptor management

System
The System display provides system level information, allows authorised users to enable or disable
key features and shows the status of hardware modules.

Figure 40 System display

Local Time - the date and time can be entered. These can also be updated via the date CLI com-
mand or if configured via the NTP server(s). Refer to NTP configuration screen shown on page 89
on page 89
Access locking
- Front Panel keypad - this allows the front panel to be locked so that the configuration cannot be
changed
- Front Panel USB - this allows the USB socket to be locked so that inserted USB sticks are ignored.
the USB socket must be unlocked for any firmware upgrades to be loaded.
FIPS PUB 140-2 Mode - this allows the FIPS mode of the encryptor to be enabled or disabled. By
default FIPS mode is enabled.
Entropy Pool - enables/disables the use of a user-provided entropy pool in place of the encryptor's
hardware derived entropy
- Size - total size of the entry pool in bytes
- Bytes remaining - remaining bytes before pool is exhausted
- Bytes used - bytes consumed to date
- Estimated days remaining - based on current consumption rate over previous days (7 days rolling),
allow 24 hours for initial calculation
Restart Encryptor - this allows the encryptor to be restarted with an option to first erase the unit. A warning dialogue
is displayed to allow confirmation. Following a non-erase restart, the unit will re-establish connections based on the cur-
rent mode and policy settings.

Management Module - provides details of the encryptor management module

- ID - identifies the unit within the encryptor
- Physical Location - describes the module location
- Board Number - identifies the module type by manufacturing code
- Description - a functional description of the module
- Serial Number - the serial number of the module
- Software version - the version of software loaded into the module
- Software description - a functional description of the software
- Build ID - the build identifier the software
- Build Number - the sequence of the build
- Build Date And Time - the date and time the build was performed

84 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Interface Module - provides details of the encryptor's network interface module

- refer to descriptions above
Interface Module - provides details of the encryptor's local interface module
- refer to descriptions above

Date/time
The Date and Time display shows the current date and time and the time zone and allows these to
be set either directly or from the clock of the management system.

Figure 41 Date and Time setup

Local Time - the date and time can be entered. These can also be updated via the date CLI com-
mand or, if configured, via the NTP server(s). on page 89
Time Zone - the time zone that the encryptor is located in.

Time Zones
Support for time zones was introduced in V2.4 of the firmware and their use is optional.
The advantage of using time zones is that it allows encryptors in different zones to display
their local time while providing synchronised UTC event logging in Syslog servers. It is
recommended that, if used, the time zones are set prior to setting the encryptor's local time
as setting a time zone other than UTC applies the offset to the current local time. This might
require that the local time be reset.
If the time is set using the “Set Time From PC” button, it is assumed that the PC and
encryptor are in the same timezone; if they differ the correct Local Time must be entered
manually.

NTP Server Configuration

The Server Configuration option allows you to Add, Delete or Edit the addresses of up to 10 NTP
servers.

SafeNet Virtualised Encryptor CV1000 85

Section 4 - Encryptor management

Figure 42 NTP configuration

ID - the index of the NTP server. Used when editing server parameters using the CLI.
IP Address - the IP address of the server in dotted notation form, for example, 178.12.3.1. This is
used by the encryptor to contact the server.

User
The User configuration selector allows you to examine and modify the access controls associated
with users. When shipped, an encryptor has a single administrator account that has the admin/$Pass-
word1 credentials. If the unit is erased or tampered with then these are re-established.

Figure 43 User access control

The top section of the screen has the fields that are common to all users. These include password
policy and inactivity lockout.
Enhanced Password Policy - can be enabled to allow extension of policy to meet AR-25 require-
ments
Password Policy Parameters - summarises the following 5 password parameters
- Minimum Password Length - defines the minimum number of characters in a user password
- Minimum Number of Uppercase Characters - defaults to 8 and allows up to 32 with enhanced
policy
- Minimum Number of Lowercase Characters - defaults to 1 and allows up to 3 with enhanced
policy
- Minimum Number of Numeric Characters - defaults to 1 and allows up to 3 with enhanced policy
- Minimum Number of Special Characters - defaults to 1 and allows up to 3 with enhanced policy
Note that within each of these there are no restrictions on the characters that can be used.

The lower section of the screen has a single line entry for each of the user accounts. Up to 30
accounts can exist and accounts can be added and deleted or selected for editing. The fields are:
User Name - short form name used as login ID

86 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Description - a long form of the user name that is used for reporting purposes.
Privilege level - the user's authority level: Administrator, Supervisor, Operator, or Maintainer
User Account - defines status, active or disabled
Console Access - enabled or disabled to specify whether CLI access is allowed
SNMP Access - enabled or disabled to specify if SNMP management access is allowed

Console Management
The Console Management display allows you to update the information that will be displayed when
the CLI is used.

Figure 44 Console messages

Pre-Login Banner - The message that will be displayed on the terminal screen prior to the user log-
ging into the encryptor. This will typically be used to advise the user of security requirements, etc.
Post-Login Banner - The message that will be displayed on the terminal screen after the user logs
in. Typically this message re-enforces the security requirements, for example, advising the user not
to leave their terminal unattended.
Prompt - the text that will be displayed ahead of the '>' symbol as the prompt for user input on the
CLI. Typically this would be the encryptor model and/or location.

The pre and post banners can also be set using the banner CLI command.

Network addresses
The Network Addresses selector allows you to define the addresses that are used by SNMP to com-
municate with the encryptor. The front panel address can have both IPv4 and IPv6 addresses.

SafeNet Virtualised Encryptor CV1000 87

Section 4 - Encryptor management

Figure 45 Network addresses

The display has three sections; the top allows the inband gateway functionality of the encryptor to be
enabled or disabled and shows the front panel NIC address and operation mode. The fields are as
follows:
Inband Management Gateway - when enabled, the encryptor will operate as an inband gateway
that allows the management of configured remote encryptors.
Front Panel Main Port - the physical address of the primary front panel port
Front Panel Aux Port - the physical address of the auxiliary front panel port

The second section of the display shows the three available IP addresses; the front panel IPv4
address, the front panel IPv6 address and the inband IPv4 address. Each of these can be edited by
selecting the required field, making the change and clicking 'Apply'. The fields are:
Address - the IP address of the encryptor in 'dotted' (CIDR) notation
Prefix - the network mask that applies to the IP address
Gateway - the gateway address
Status - set to enabled or disabled to allow access to the address

The inband VLAN section allows a VLAN ID to be specified for inband management. This is required
where encryptors are remotely managed within a VLAN environment. Note that inband management
within VLAN (VPLS) networks requires that at least one entry be present. The untagged entry exists
by default however additional entries may be required - refer to the CLI inband_vlan command for
details.

88 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

SNMP
The SNMP selector allows you to set SNMP management parameters and define the addresses that
the encryptor will send SNMP trap messages to. Up to 8 addresses can be defined and each of
these can be individually enabled or disabled.

Figure 46 SNMP trap configuration

The upper section of the display is used for SNMP management parameters:
SNMP Privacy - by default SNMP privacy is enabled which means that traffic between CM7 and the
encryptor is encrypted.
SNMPv1 (Monitor Only) - when enabled, SNMPv1 can be used to monitor, not manage, the status of
the encryptor. By default this is disabled and only SNMPv3 can be used to manage the encryptor via
the front panel.
SNMPv1 Community String - configures the SNMPv1 community string used to authenticate clients
during SNMPv1 access and to identify sent trap messages. Changing the string will log an audit mes-
sage.
Auth Failures Time Window - sets the time in minutes for which a user will be locked out on con-
secutive authentication failures. This feature is only operational for SNMPv3 AUTHPRIV.
Auth Failures Before Lockout - sets the number of consecutive SNMPv3 AUTHPRIV failures that
will result in the user being locked out for the Auth Failures Time Window.
Alarm Trap period - specifies the period in seconds between traps sent for active unacknowledged
alarms. A value of 0 specifies that a trap will only be sent when the alarm becomes active and not
periodically.

The lower section is used to define up to 8 SNMP trap receivers. CM7 can itself be defined as a trap
receiver, however for these to be received CM7 must be enabled as a listener. See "CM7 Settings"
on page 110.
Address - the IP address of the SNMP receiver
Status - set to enable or disable the receiver

Syslog Server Configuration

The Server Configuration option allows you to Add, Delete or Edit the addresses of up to 10 Syslog
servers.

SafeNet Virtualised Encryptor CV1000 89

Section 4 - Encryptor management

Figure 47 Syslog configuration

ID - the index of the Syslog server. Used when editing server parameters using the CLI.
IP Address - the IP address of the server in dotted notation form, for example, 178.12.3.1. This is
used by the encryptor to contact the server.

FTPS and SFTP

The File transfer Protocol (FTP) is used within Senetas encryptors to perform firmware and software
upgrades. This capability is extended by the FTPS and SFTP functions to provide secure con-
nections.

Figure 48 FTP server setup

Restrict to FTP Servers - if enabled, FTP requests to IP addresses that have not been added to the
FTP Server table will be rejected.
Support for RSA keys was removed at version 5.0.2.

KeySecure
The SafeNet KeySecure Platform consists of two required components: the ProtectApp ICAPI KMIP
client, and KeySecure. The client requests cryptographic operations to be performed by KeySecure
through one of the Cryptographic Providers, or the XML interface. KeySecure performs all the
desired operations and returns the data to the client, thus providing cryptographic functionality over
the network.
The CM7 KeySecure option allows you to configure a KeySecure server so that it provides keys for
an encryptor.

90 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 49 KeySecure configuration

KeySecure - enables or disables key provision.

Owner Name - the name of the client account within the KeySecure system
Password - the password for the account

Note that when KeySecure is used with a virtual encryptor, for example the CV1000, the cre-
dentials must be re-entered each time you connect to the unit.

Up to 10 Key servers can be configured, each being added by clicking on the Add selector and enter-
ing the IP address of the server.

KeySecure tiers
The KeySecure platform provides a multi-tier load balancing feature that allows you to create up to
three levels of load balancing groups, called tiers. When one tier is unreachable, the system fails
over to the next tier. Unless you provide a global without a tier suffix, tiers must be configured in
order, that is, you cannot have tier 3 without tier 1 and tier 2,
The fields required to define a tier are;
ID -
Tier - the tier number which is used to access the configuration.
Port - the port number
Proto - the protocol used. This can be ssl or tcp. Connections using ssl are authenticated whereas
those using tcp are not. For this reason ssl connections are recommended.
Pool - the communications pool size
Read timeout -
Idle timeout -
Retry interval -
Certificate - the identifier of the certificate that will be used to authenticate the conneciton.

TACACS+
The TACACS+ protocol is an open standard for remote Authentication, Authorisation and Accounting
(AAA) services. It provides centralised management of encryptors with password change being avail-
able from CM7 and the CLI.

SafeNet Virtualised Encryptor CV1000 91

Section 4 - Encryptor management

The implementation of TACACS+ includes the use of the MD5 hashing algorithm which means that
when it is enabled the encryptor is no longer FIPS 140-2 compliant. Enabling the protocol provides
clear guidance that an unsupported FIPS 140-2 feature is in use.

Figure 50 TACACS+ AAA configuration

The fields are as follows:
TACACS+ Operations - enable or disable global TACACS+ operation
Auditing Message Broadcast - enable or disable the broadcasting of auditing messages to all
TACACS+ servers. When disabled (the default), send messages to only the active server, that is, the
server that provided the authentication/authorisation.
Ticket Request User - the predefined user name that will be used by CM7 to send the ticket request
to the TACACS+ server.
Ticket Request Password - the password to verify that the TACACS+ connection is to be authorised
based on the CM7 supplied Ticket Request password.

The lower section of the screen is used to add, edit or delete TACACS+ servers using their IP
address.

Remote Secure Shell CLI access

The Command Line Interface (CLI) is accessible via a remote secure shell (SSH) facility which
provides management functions similar to those provided by the CM7. SSH is disabled by default
and must be enabled using the CM7 interface shown above or via the local/physical CLI. A max-
imum of 10 concurrent remote CLI sessions are supported.
The ability to remotely manage an encryptor via SSH facilitates remote scripting by the user for the
purposes of configuring/certifying the devices as well as verifying current configuration status and
general health monitoring.
Prior to enabling CLI access, an SSH key pair must be generated and the Public key added to each
of the required encryptors.

SSH key pair creation

The public/private key pair that is required for SSH authentication can be generated using the key
generation option of the PuTTY key generator (PuTTYgen).

92 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 51 Public/private key generation

Select the SSH-2 RSA key type and ensure that the number of bits is 2048. Note that lesser key
sizes or hash algorithms are not supported.
Click on 'Generate' and PuTTY will begin key generation, prompting you to ensure good entropy by
moving the mouse within the Public key pane.
When generation completes, save the Private key as, say, RSA_SSH.ppk, for subsequent use when
logging into the encryptor and save the Public key in OpenSSH format from the Public key pane
(not PEM format), to the encryptor(s).

Figure 52 Enabling SSH

Enable Remote CLI Access and check that the SSH server port is 22.
To save the Public key perform the following:

Select and copy the Public key from the PuTTY generators Public key frame

SafeNet Virtualised Encryptor CV1000 93

Section 4 - Encryptor management

Open CM7 and navigate to the Remote CLI pane

Enable CLI access and check that the port is 22
Click 'Add' and paste the Public key into the 'SSH Public keys' pane
Click 'Apply' to save the Public key in CM7

Encryptor configuration

To allow login to an encryptor it is necessary to save the Private key in it using the the PuTTY Con-
nection>Data screen.

Figure 53 Setting the auto-login user name

Enter 'cli' as the login user name.

Next select the SSH>Auth screen and browse to the location the Private key was
saved in.

94 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 54 Accessing the Private key file

Next, select the Session screen, enter the IP address of the encryptor, create a unique session name
(as will be used for login to this encryptor) and click 'Save'

Figure 55 Saving the private key to the encryptor

The procedure needs to be repeated for each encryptor that is to be accessed.

SafeNet Virtualised Encryptor CV1000 95

Section 4 - Encryptor management

SSH Logon
An SSH connection can now be initiated by running PuTTY and then from the session screen select-
ing the required session from the Saved Sessions list and clicking Load and Open.

Policy
The Policy option allows you to examine and update the policy that will be applied to connections.
The contents of the fields will change depending upon the unit being managed. The "Hide Not
Applicable Settings" selector allows you to hide or show features that are not applicable to the
encryptor you are managing. Refer to "Configuring CM7" on page 110

Figure 56 TIM mode Policy definition

Global Mode - top level mode that specifies whether the encryptor is in 'Discard', 'Bypass', or
'Encrypt'
Operational Mode - shows the current operating mode of the encryptor
Connection Mode - displayed when Line Mode is disabled to allow selection of MAC, VLAN, SPB or
TIM mode. The connection mode can also be set from the CLI using the con command.
Key Provider - allows selection of the key provider used in TIM mode. The available values are KDF
which specifies a Key Derivation Function and KMIP which specifies a KMIP Key server. Changing
the Key Provider requires the user to restart the connections to enable immediate change over the
new provider.
TRANSEC - used to enable TRANSEC and define the Transport Frame header.
- TRANSEC mode - enables or disables TRANSEC
- Frame length - configures the length in octets of the Transport Frame
- Frames Per second - specifies the transmission speed of TRANSEC traffic
- Bandwidth(%) - specifies the bandwidth of the TRANSEC link in bits per second
- Destination MAC - specifies the MAC address of the remote peer encryptor
- Source MAC - specifies the MAC address of the local encryptor
- Header bytes -
IGMP/MLD Processing - shows status of IGMP/MLD processing
- IP Protocol Encryption ID - specifies the ID used to identify frames that have been subject to
IGMP/MLD processing
- Bypass IGMP/MLD - set to 'Enable' to apply processing to IGMP/MLD frames
- Bypass IP Multicast Header - set to 'Enable' to bypass IGMP/MLD Multicast headers

96 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Initialise Configuration - allows selection of:

- Initialise config all

- initialise CI and MAC addresses
- initialise global operation mode

Key Derivation Function

The Key Derivation Function (KDF) pane is used to create the key that will be used to encrypt traffic.
The Set Key From DRBG button is used to create a new key

Figure 57 Key Derivation Function

Key - provides a "once-off" display of the generated key which can be copied and pasted to peer
encryptors. After this the key will no longer be displayed.
Hash - shows a hash of the created key which can be used to compare the key with those in peer
encryptors

Protocol
The Protocol option is used to refine the Ethernet policy to meet the specific needs of the network. A
table defines a group of multicast addresses which by default are encrypted but can be bypassed. In
addition, when in Multipoint VLAN mode, additional MAC addresses can be added to this table.

SafeNet Virtualised Encryptor CV1000 97

Section 4 - Encryptor management

Figure 58 Protocol configuration

Bypass Reserved Multicast - when enabled all of the traffic sent to the listed multicast MAC
addresses will be left unencrypted. For security/certification reasons the default is disabled.
Because of the standards for multicast IP to MAC address mapping, there are 32 IP multicast
addresses that map to one MAC multicast address. Before enabling Bypass Reserved Multicast you
should ensure that none of the MAC addresses in the table also map to other IP multicast traffic on
your network that should be encrypted. If this is the case than you should leave Bypass reserved
Multicast disabled and add only those MAC addresses that need bypassing to the Reserved MAC
address table as shown on the previous page.
The lower section of the display lists the MAC addresses that will be bypassed when Bypass
Reserved Multicast is enabled. This includes any additional MAC addresses added using the 'Add'
selector, the figure showing the address 09:02b:00:00:05 being added.

98 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Protocol - Ethertypes
The Protocol - Ethertypes option allows you to configure the default and individual ethertype policy
of the encryptor. Up to 15 ethertypes can be configured.

Figure 59 Ethertype Policy configuration

Unlisted Ethertype Action - shows the actions that will be taken by ethertypes that are not in the eth-
ertype table. Action can be Discard, Bypass, Layer 2 (L2) or Layer 3/4 (L3/L4)
- Broadcast - set to FollowCI, Discard, Bypass, Layer 2 (L2) or Layer 3/4 (L3/L4)
- Multicast - set to FollowCI, Discard, Bypass, Layer 2 (L2) or Layer 3/4 (L3/L4)
- Unicast - set to FollowCI, Discard, Bypass, Layer 2 (L2) or Layer 3/4 (L3/L4)

The encryptor is pre-configured with ethertype polices for each of the connection modes. The exist-
ing policies can be modified and additional policies up to a total of 15 can be added.
ID - an index used when editing the table using the ethertypes CLI command
Type - the value of the ethertype and, where known, its functional description
Broadcast Action - the action to be applied to Broadcast traffic - can be Discard, Bypass, Layer 2
(L2) or Layer 3/4 (L3/L4)
Multicast Action - the action to be applied to Multicast traffic - can be Discard, Bypass, Layer 2 (L2)
or Layer 3/4 (L3/L4)
Unicast Action - the action to be applied to Unicast traffic - can be Discard, Bypass, Layer 2 (L2) or
Layer 3/4 (L3/L4)

IP Rules
The entries within the IP Rules table contains determine the policy that will be applied to traffic flow-
ing through encryptors configured in TIM mode.

SafeNet Virtualised Encryptor CV1000 99

Section 4 - Encryptor management

Note that since the TCP checksum is based on the IP header, Layer 3 encryption for TCP traffic on
NAT based networks will not work as expected. In these cases the use of Layer 4 encryption policy is
recommended.

Figure 60 IP Rules
Action for Unlisted IPs - specifies the action that will be taken for IP addresses that are not specified
in the IP Rules table. Can be discard, bypass, encrypt L2, encrypt L3, or encrypt L4

Traffic is matched against each entry using a Longest Prefix Match. If a LPM match is found and a
layer 4 action is configured then further matching is performed based on the specified protocol and
port number. If the rule is applicable then the action is applied to the traffic.

ID - specifies the assigned rule index

IP Address- identifies the IP address that is used for the Longest Prefix Match.
Prefix - specifies the prefix used for the LPM match
Protocol - specifies the protocol for Layer 4 rule matching
Port - specifies the port number that is used for Layer 4 rule matching
Action - specifies the action for the rule entry. Can be discard, bypass, encrypt L2, encrypt L3, or
encrypt L4

In the table above, network traffic to the destination subnets is treated as follows:
l Entry 1 encrypts the 192.16.0.0/24 subnet at Layer 3
l Entry 2 encrypts the 172.16.0.0/24 subnet at TCP Layer 4
l Entry 3 encrypts the 172.16.0.2/24 subnet at UDP Layer 4
l Entry 4 discards the 10.0.0.0/16 subnet
l All other traffic is encrypted at Layer 3 (Action For Unlisted IPs)
For a Layer 4 Action, the TCP Protocol number 6 or UDP Protocol number 17 must be specified.
Note that if a destination subnet is behind a NATed network device then the externally-facing NATed
IP address(es) should be specified in the IP Rules table.
The IP Rules table can also be viewed and configured via the CLI iprules command. For details on
how to use this command enter iprules -h in the CLI.

Encryption Interfaces
The Encryption Interfaces option allows you to examine the Local and Network Interfaces. For virtual
encryptors the linkspeed is determined by the host NIC.

100 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 61 Ethernet encryption Interface configuration

Current Link Status - shows the current status of the link and the local and network ports
- Link Status - shows the state of the link
- Network Interface status - shows the state of the network port, this can be 'up' or 'down'
- Local Interface Status - shows the state of the local port, this can be 'up' or 'down'
Auto-Negotiate Port Speed - enabled / disabled which allows unit to communicate with Local
device to determine correct speed

Diagnostics
The Diagnostics option allows you to diagnose the operation of the encryptor by examining the front
panel status indicators and the interface status and statistics
Note: Images in this section will be updated to exclude Battery state, Temperature, physical
interface elements, etc.

SafeNet Virtualised Encryptor CV1000 101

Section 4 - Encryptor management

Figure 62 Management Diagnostics

Front Panel Indicators - shows the state of the units front panel indicators
Management Port Statistics
- Ethernet IP - summarises the front panel Ethernet traffic
- - Packets In - provides a count of the packets sent to the front panel
- - Packets Out - provides a count of the packets sent from the front panel port
- - Header errors - provides a count of the frames that had header errors
- - Address errors - provides a count of the frames that had address errors
- - Discards - provides a count of the packets discarded
- Ethernet ICMP - Internet Control message Protocol traffic
- - Messages In - ICMP messages received
- - Messages Out - ICMP messages sent
- - Errors - count of errors detected
- Ethernet UDP - User Datagram Protocol details
- - Datagrams In - number of datagrams received
- - Datagrams Out - number of datagrams sent
-- Errors - number of UDP errors detected
Local interface - displayed in Figure 63 on the facing page
Network Interface - displayed in Figure 64 on the facing page

102 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 63 Local interface Diagnostics

Received - summarises the status of the received Local port traffic as detailed below:
- Corrupted Frames - the number of frames that were seen as corrupt
- Interframe gap Errors - a count of any interframe gap errors
- Octet Count - a count of the bytes received on the Local port
- Frame Count - a count of the frames received on the Local port
- FCS Errored Frames - a count of the frames that had FCS errors
- PCS Errored Frames - a count of the frames that had PCS errors
- Undersize Frames - a count of the frames that were undersize
- Oversize Frames - a count of the frames that were oversize
- Discarded Frames - a count of the frames that were discarded
- PCS Sync Status -

Transmitted - summarises the status of the transmitted Local port traffic as detailed below:
- Octet Count - a count of the octets sent by the encryptor
- Frame Count - a count of the frames sent by the encryptor
- FCS Errored Frames - a count of the frames with FCS errors

The Reset Local button at the top of the display resets the following:

local port statistics

local ethertype statistics (TIM operational mode only)
local iprules table statistics

Figure 64 Network interface Diagnostics

For details of each of the available fields refer to the Local interface above.
The Reset Network button at the top of the display resets the following:

network port statistics

network ethertype statistics (TIM operational mode)
network iprules table statistics
Tx and Rx tunnel/connection statistics

Alarms
The Alarms option allows you to examine and optionally acknowledge encryptor alarms. All alarms
can be acknowledged or individual alarms can be selected and acknowledged. It may be necessary
to use the Refresh button to see the updated state of the alarms.

SafeNet Virtualised Encryptor CV1000 103

Section 4 - Encryptor management

Figure 65 Encryptor Alarms

ID - sequential index of alarm entry
Time - time the alarm was raised
Description - a description of the cause of the alarm
State - the current state of the alarm, whichcan be 'active' or 'inactive' and is flagged as acknow-
ledged (ACK) or unacknowledged (NAK)

Event Log
The Event Log option allows you to examine the events that have been generated within the
encryptor. The log can be saved to a text file and, if desired, cleared.

Figure 66 Event Log

ID - a sequential number that identifies the order in which the event was logged
Time - the date and time that the event occurred
Description - a description that shows the nature of the event

Audit Log
The Audit Log option allows you to examine the audit log, which includes all of the activities that
have been executed by the users who have accounts within the encryptor. The Audit log can be
saved as a text file and, if desired, cleared.

104 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 67 Audit Log

ID - a sequential number that identifies the order in which the operation was logged
Time - the date and time that the operation was performed
Description - a description that includes the users identifier and the operation that was performed

Upgrade screen
When the upgrade screen is selected the instructions and fields shown in Figure 68 on the next
page are displayed.

SafeNet Virtualised Encryptor CV1000 105

Section 4 - Encryptor management

Figure 68 Upgrade dialogue

Note:
An upgrade will require a reboot of the encryptor which will check the validity of the default
certificate. If the certificate has expired then traffic will not restart. It is recommended that the
validity of the certificate be checked prior to performing an upgrade.

Protocol - allows selection of either an HTTP or an FTP server as the source of the update
Host - defines the IP address of the server on which the upgrade image has been loaded
Path - defines the location of the file on the server
File Name - defines the name of the upgrade image
User Name - defines the HTTP or FTP user name
Password - defines the password that allows access to the server

106 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

User account management

Encryptor management is based on a user role model. User accounts can be created at one of four
predefined privilege levels:

Table 7. User credentials

User level Privileges granted
Administrator Unlimited ability to configure and manage an encryptor
Ability to configure with the following exceptions:
Supervisor l Cannot create/edit user accounts
l Cannot clear audit or event logs
l Cannot initiate firmware upgrades
Monitoring only
Operator
Cannot make configuration changes
Can initiate firmware upgrades remotely via SNMP
Maintainer
Cannot make any other configuration changes

User accounts are stored in each encryptor. They are not kept in a central repository or in the CM7
database. As described in the following section, up to 30 separate user accounts can be created.
To manage an encryptor you must have an account registered on the device. Each account has an
id and password that must be entered into the CLI or CM7 to gain access to the encryptor.
An un-configured (or erased) encryptor contains a default administrator account that allows the unit
to be configured. This account has the following credentials:

Name: admin
Password: $Password1

To guard against unauthorised access, this account should be replaced with a new administrator
account which is done as part of the 'activation' process.

Defining user accounts

Additional user accounts are added via the selected encryptors User menu as shown in Figure 69
below. Each of the users details can be changed as required and then applied back to the unit.

Figure 69 User Management

There must always be at least one administrator account present on the encryptor; the system will
not allow you to delete the last account. If you erase the encryptor then the default administrator
account will be re-established with the admin/$Password1 credentials.

SafeNet Virtualised Encryptor CV1000 107

Section 4 - Encryptor management

All authorised users are assumed to be competent and trusted not to abuse their privileges so as to
undermine the security.

Note:
User accounts cannot be created until the unit has been activated.

A user account is defined by an access level, a unique User Name and Authentication Password
and an optional Full Name that can be used to identify the person or a functional role.
Users can have their Privilege level defined and access via the console (CLI) or SNMP management
port can be enabled or disabled.
User accounts can be disabled if they are not required for day-to-day operations. This facility is often
used where an external party should only be granted access when their assistance is required.
The Encryptor list allows multiple encryptors to be selected and updated at the same time, provided
that the current user has the same login credentials on each unit.

Note
If FIPS mode is enabled (See "FIPS PUB 140" on page 110) then the encryptor enforces
both authentication AND privacy.
The encryption keys for privacy mode are derived between the encryptor and the SNMP
manager using the Diffie-Hellman key agreement protocol. This method replaces the user
privacy password model from firmware version 1.9.0 onwards.

By default, user passwords are subject to lexical diversity requirements as follows:

l At least one upper-case alphabetic character

l At least one lower-case alphabetic character
l At least one digit
l At least one punctuation character

Within each of these groups there are no restrictions on the character set that can be used.
This requirement can be disabled from the Management Access tab (see on the previous page).
Beginning in v4.0.0 of the firmware, password security was enhanced by the addition of an
enhanced mode that allows configuration to support AR-25-2.  When enhanced mode is turned off
(the default) and lexical checking is enabled, testing using the default rules is only performed when
accounts are created.  Enhanced mode, which is enabled using either the Management Access tab
or the CLI password command, enforces diversity checking whenever a user logs on and allows
these checks to be strengthened.

Authentication / privacy
Authentication requires that each of the messages between CM7 and an encryptor be
authenticated.
Privacy requires that the traffic between CM7 and an encryptor be encrypted.

Administrator access

The User Access options described in Table 8 on the facing page can be used to configure the man-
ner in which users interact with an encryptor.

108 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

The Serial port, the CN Series keypad and USB ports can be individually disabled to prevent unau-
thorised access to the unit.
Password lexical checking can be disabled or extended by setting both the minimum length and
optional AR-25 requirements.

Table 8. User access

Feature Description
Enable Serial Console Port Specifies whether access is available via the serial craft port
Enable Front Panel Keypad
Enable/disable the keypad to control access
(CN series only)
Enable Front Panel USB (CN
Enable/disable firmware upgrades via the USB port
Series only)
Enable/disable the lexical checking of user passwords.  Note that
Enable Password Lexical
units that are Common Criteria certified do not allow lexical check-
Check
ing to be turned off
Specifies the number of unique passwords that must be entered
Password Reuse Count
before a password can be reused for an account
Specifies the number of days before an inactive (no logins in this
User Inactivity Lockout
period) account is disabled
Specifies the period of inactivity on the console after which the user
Session Inactivity Logout
is logged out
Enable/disable the enforcement of enhanced lexical check-
Enable Enhanced Password
ing.?Enhanced checking allows conformance to the AR-25 stand-
Policy
ard.
Minimum Password Length Enforce length of 15-29 characters
Minimum Number of Upper-
Set minimum to 1 or 2 characters
case Characters
Minimum Number of Lower-
Set minimum to 1 or 2 characters
case Characters
Minimum Number of Numeric
Set minimum to 1 or 2 numerics
Characters
Minimum Number of Special
Set minimum to 1 or 2 characters
Characters

SNMPv1 monitoring can be enabled or disabled. SNMPv1 uses a 'Community String' to authorise
connection and this string can be configured either via CM7 or the CLI community command as
shown on page 140.
If SNMPv1 access is to be used then to maximise security the Community string should be changed
from Public to another value.

Table 9. Remote management

Feature Description
Enable SNMPv1 (Monitor only) Enable/disable SNMPv1 monitoring
Community String Specifies the community string of the encryptor

Note
For the setting to take affect, some versions of the firmware require a restart after SNMPv1 is
enabled or disabled.

SafeNet Virtualised Encryptor CV1000 109

Section 4 - Encryptor management

FIPS 140-2 mode is enabled by default; however, it can be disabled. Switching modes will force a
restart of the encryptor and the running of any applicable startup diagnostic processes. FIPS mode
enables privacy and enforces authentication using a Diffie-Hellman key exchange.

Table 10. FIPS PUB 140

Feature Description
Disable FIPS PUB 140-2 mode Enable/disable FIPS mode
Disable SNMP Privacy Enable/disable privacy on SNMP management connection

Configuring CM7
The CM7 user interface can be customised to meet the preferences of the user, the settings being
saved in a CM.ini file, or if selected, in a database on a Configuration server. The CM7 Settings
screen shown in Figure 70 below is accessed by clicking on the 'cog' icon at the bottom right of the
main screen. The help button at the bottom right of this screen can be used to display the func-
tionality provided by each of the fields.

Figure 70 CM7 Settings

110 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

The top frame of the window displays the current version number of CM7.
The remaining fields are functionally grouped and provide the following customisation.

Explicit Login - when enabled only the entered credentials are used to login to encryptors. If a login
is unsuccessful then the next login attempt is only made after credentials are entered into the Login
dialogue.
Non Activated Password - specifies the password that will be used to access encryptors that have
yet to be activated. This defaults to , however this can be changed if required.
Station ID - by selecting a different station ID than other users you provide CM7 with the ability to
concurrently manage individual users. It is recommended that in organisations where multiple man-
agers may exist, each user workstation is configured with a unique ID. Note that beginning with
v2.7.1 of the firmware, encryptors automatically assign a dynamic Station ID in the range 00 to 99
and users do not need to make configuration changes.
Ticket Request Password -
Discovery Polling Timeout(sec) - the default timeout discovery period of 2 seconds seldom
requires changing. However in noisy environments or within large networks it can be increased to
allow for any delays that are incurred.
Discovery Polling Retries - the default value of 1 is normally adequate. However in noisy envir-
onments a higher value may be required.
Hide Not Applicable Settings - by default, any settings that do not apply to the current encryptor
model or context are hidden. Enabling this selector shows all variants.
Number of Tiled Manage Windows Across - leaving this setting at the default of 2 will result in side-
by-side display of up to 2 encryptors. Additional encryptors will be tiled in the next available slot
within one of the columns.
Session Timeout(min): - by default CM7 sessions timeout at 5 minutes. This can be increased or
decreased (to a maximum of 60 minutes) to meet user needs, however the security requirements of
your organisation should be considered.
Manage Windows Refresh Rate(sec) - by default, the currently displayed Manage Window content
is refreshed every 15 seconds. This can be increased or decreased to meet your needs.
Encryptor List Refresh Rate(sec) -
Network View Refresh Rate(sec) -
Enable Trap Listener - enabling the trap listener allows CM7 to receive any traps that are sent to its
configured trap address.
Trap Listener Port - allows you to change the SNMP trap listener port
Display Reports - adds informative messages to the CM7 log window
Display Warnings - adds warning messages to the CM7 log window
Display Errors - adds error messages to the CM7 log window
CM Settings Location - if the CM settings are held in an INI file this allows selection of the path used
to store the settings file. Either the Current User Path or the Public Path will have been selected
when CM7 was installed, however this can be changed if desired.
If the CM settings are held in a Configuration server database then this allows the selection of the
Server and Database as shown in the modified dialogue below.

CA/Key Management - clicking on this button opens the Create CA screen, which allows CM7 to be
configured as a Certificate Authority and allows the definition of KDK keys for use in TIM mode
Save - saves the current settings

SafeNet Virtualised Encryptor CV1000 111

Section 4 - Encryptor management

Close - exits from this screen without saving settings

Link: Management\CM7 Operations\Certificate hashes.htm Tagsets: Documents

Certificate hash algorithm

The certificate signing algorithm determines the signature hash algorithm used, as indicated in the
following table:

X.509 Certificate algorithm Signature Hash algorithm

RSA-2048 SHA-256
ECDSA-P256 SHA-256
ECDSA-P384 SHA-384
ECDSA-P521 SHA-512

112 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

KDK Key generation

In order to establish secure security associations encryptors configured in TIM mode that use the
KDF key derivation function must be seeded with identical KDK keys.
To generate KDK keys that will be available for distribution to encryptors select the KDK tab to dis-
play the following dialogue:

Keys can be manually entered (unless in FIPS mode), or more usually generated using the Autofill
KDK selector which allows either CM7 or any of the listed encryptors to be used as the key source.
Note that in the latter case only hardware based encryptors with firmware releases of v5.1.0 or later
are available for use.
By default CM7 will generate a key file in a folder in the users AppData path. The filename has a suf-
fix based on the hash of the KDK. While not recommended both the file location and filename can be
changed.

SafeNet Virtualised Encryptor CV1000 113

Section 4 - Encryptor management

The Create KDK File button requests a password that will be used to protect the file and then when
OK is clicked, generates it in the specified location.

Following creation, additional keys can be generated should these be required.

Installing CM7
CM7 is supported on Windows XP, Windows Server 2008, Windows 7 or later and the Debian and
CentOS/Redhat Linux operating systems. Recommended system specifications are 4Gb of RAM,
100Mb disk space and a Core i5 processor or equivalent.
Before installing or upgrading your CM7 software you must exit any running instances.

Windows
l Locate the CM7 CD that came in your package.
l Start Windows.
l Insert the CD into the CD drive.
l From the Windows Start Menu choose ‘Run’.
l Type d:\setup (or drive:\setup where ‘drive’ is the CD drive designator) and press the Enter
key.
Setup will copy installation files to the PC’s hard disk and then display the following ‘Welcome dia-
logue’ box indicating the version of CM7 that you have selected. (The version my differ from that
shown in Figure 71 on the facing page.)

114 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 71 Setup screen

After ensuring that any current instance of CM7 is closed, click on the Next button to initiate install-
ation. CM7 will begin to install and you will be asked to accept the License Agreement.

Figure 72 License agreement screen

After you accept the agreement, the install process displays any optional configuration parameters
and after selection you should click the Next button to continue.

SafeNet Virtualised Encryptor CV1000 115

Section 4 - Encryptor management

Figure 73 Required components screen

The next screen allows you to either install CM7 in the default location or select an alternate loc-
ation. Clicking the Next button will install CM7.

Figure 74 Install location screen

When the installation is complete, the completion screen is displayed after which you can click Fin-
ish to start CM7 or exit.

116 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 75 Install completed screen

Initial configuration settings

The first time CM7 is run following installation, it prompts the user for the location where the CM con-
figuration settings will be installed. As shown in Figure 76 below, the path can be to a INI file in a
defined directory or in a Configuration server database.
Configuration server databases provide a convenient way of sharing lists of encryptors and
PKCS#12 files. For example, you could have lists for different support groups, lists for geographies,
lists for departments, etc. The configuration server can be on a central server or on your local sys-
tem.

Figure 76 Select CM settings location

SafeNet Virtualised Encryptor CV1000 117

Section 4 - Encryptor management

If a INI file is to be used then the 'browse' button to the right of the INI file selector allows you to
change the default location.

Figure 77 Selecting an alternate INI file location

If a Configuration server database is to be used then the Server IP and Port selectors can be used to
specify the database location. When the IP address is entered and the <Enter> key is pressed (or the
refresh symbol clicked) then CM7 attempts to connect to the server and if this is successful the 'suc-
cess indicator' to the right is shown as a green tick. If a connection cannot be made, perhaps
because the server is not running, then the indicator will be red. Hovering over the indicator will dis-
play the status of the server. Note however, that the messages are server dependent and not doc-
umented here. IP address 127.0.0.1 can be used for a server located on the CM7 system.
After the server is specified, the Database Name selector is filled with the names of the databases
hosted on that server. Creating a database with the same name as an existing database will raise a
warning to indicate that existing settings will be overwritten.

Figure 78 Overwriting an existing database

If you would like to delete a database then it can be selected and the 'delete symbol' to the right of
the Database Name clicked. A warning is raised to allow you to confirm that the specified database
is to be deleted.

118 SafeNet Virtualised Encryptor CV1000

 Section 4 - Encryptor management

Figure 79 Delete database warning

Note that this delete function is hidden if the selected database is open.

Moving CM7 to a new PC

To move CM7 to a new PC you should follow the following steps:

Determine the location of the CM.INI file for the existing installation by examining the
'path' on the CM7 settings pane
Copy the CM.INI file to a memory stick
Install CM7 on the new machine
Determine the location of the new installations CM.INI file by examining the 'path'
Replace the CM.INI file with the one that was saved on the memory stick

SafeNet Virtualised Encryptor CV1000 119

Alarms, event and audit logs

Alarms, event and audit logs

Each encryptor is able to provide details of any alarm conditions and supply details of any events
and operator actions that have been logged within it.
CM7 allows the status of alarms and the content of the event and audit logs to be accessed for the
selected encryptors by expanding the appropriate area as described in the sections that follow.

Note:
Only a user with administration privileges can acknowledge alarms or clear the event and
audit logs.

A count of the number of log entries is provided along with the number of unacknowledged alarms
and SNMP traps received. In addition, if SNMP trap handling is enabled a count of the traps received
is shown and if NTP servers are configured a count of these is provided.

Logs
The encryptor keeps two separate logs, an event log and an audit log. Both logs are kept in non-
volatile memory and are therefore preserved across power cycles.
Each log can contain a maximum of 4000 records; when a log becomes full then it may be con-
figured to either overwrite the oldest records (Wrap Enabled) or to stop logging new records (Wrap
Disabled). This setting is configured through either the CLI or CM7.
Every log record is time-stamped and both logs can be viewed from either the CLI or remotely via
SNMP management.
The logs must be maintained and regularly examined to ensure undesired events are detected.

Alarms
The alarms tab lists each alarm that was raised, showing the date and time, the current state (active,
inactive and acknowledged) and its description. See " Appendix A-3 Alarm messages" on page 129
When an alarm becomes active it will remain in the alarm table until acknowledged by a user (admin-
istrator or supervisor). This is true even if the alarm condition itself goes away.
Alarms can exist in one of the following states:

Alarm id(1): 15/09/2004 12:23:10 NACK Network port link down indication

Table 11. Alarm states

Alarm State
Active unacknowledged
Active acknowledged
Inactive unacknowledged
Inactive
Meaning
Alarm is currently active and has not been acknowledged by a user
Alarm is currently active and has been acknowledged by a user
Alarm was active but was not acknowledged by a user before it
became inactive
Alarm is inactive and all previous alarms have been acknowledged

An alarm becoming active has the following effects:

1. The alarm is listed in the alarm table
2. The alarm LED on the front panel indicates the status of alarms in the following precedence:

120 SafeNet Virtualised Encryptor CV1000

 Alarms, event and audit logs

l Flashing red – At least one active unacknowledged alarm exists

l Solid red – At least one active acknowledged alarm exists
l Flashing orange – At least one inactive unacknowledged alarm exists
l Green – No alarms present

3. A record is added to the event log indicating that an alarm has been set
4. When an alarm condition goes away an event is logged to indicate that the alarm was cleared

Figure 80 CM7 Alarm display

Event log
The event log (See " Appendix A-2 Event log messages" on page 128) is a record of “significant” hap-
penings such as power up, self-test results, alarm conditions being set or cleared, etc. For example:

2004-09-14 11:48:40 Alarm cleared: Network interface path RDI

Each entry has a date/time stamp and a description of the event that occurred. The log can contain
up to 4000 entries and it can be set to either wrap or truncate.

Figure 81 CM7 Event log display

SafeNet Virtualised Encryptor CV1000 121

Alarms, event and audit logs

The event log lists each event that has been logged, including the date and time and event descrip-
tion.

Audit log
The audit log (See " Appendix A-1 Audit log messages" on page 123) is a record of all configuration
changes made to the encryptor. As with the event log, the list can be sorted, cleared and saved to a
file on the PC. The record indicates the name of the user making the change and exactly what
change occurred. For example:

2004-09-08 09:40:19 admin: E3/T3 configuration on network port changed: Tx

clock source: internal, Loopback: none, Payload scrambling: enabled, HCS
coset addition: enabled, framing: E3 G832 ADM

The following screen shows the online view available from CM7

Figure 82 CM7 Audit log display

SNMP Traps
An SNMP trap is an asynchronous message sent by the encryptor to a pre-defined trap handler. Up
to eight trap handler IP addresses can be defined and enabled so that alarms and events can be
sent to specified trap handlers.
CM7 can operate as a trap handler, displaying the status of a number of encryptors. More usually,
third-party network management systems such as Tivoli or NetView are used.

Encryptors send SNMPv2 enterprise-specific trap messages to all defined handlers when an alarm
is set or cleared; the trap message contains the text of the alarm description. See " Appendix A-4
SNMP trap messages" on page 132 for a full list of trap messages.

Note:
For the new port to take effect you should disable traps prior to changing the port number
and then re-enable them afterwards.

The SNMP Trap receivers can be defined via the CM7 SNMP pane allowing traps to be enabled on
a specific port. Refer to "SNMP" on page 89

122 SafeNet Virtualised Encryptor CV1000

  Appendix A-1 Audit log messages

Appendix A-1 Audit log messages

SafeNet Virtualised Encryptor CV1000 123

 Appendix A-1 Audit log messages

Table 12. Audit log messages

Message Version Encryptor ID
(Device) RSA Key Size Changed. Next
AUDIT_RSA_KEY_SIZE_CHANGE
certification will use:
Account inactive timeout period set to AUDIT_ACCOUNT_TIMEOUT
Acknowledged active alarm AUDIT_ACTIVE_ALARM_ACK
Alarm trap period set to AUDIT_ALARM_TRAP_PERIOD
Audit log was corrupt and had to be
AUDIT_LOG_CORRUPT
recreated
Audit log wrapping AUDIT_AUDITLOG_WRAP
Auto discovery 2.1.0 AUDIT_GETH_AUTODISC
AUDIT_GETH_BYPASS_RESRV_MC_
Bypass of reserved Multicast changed to
CHANGE
CI/Tunnel Keyupdate interval changed
AUDIT_KEY_UPDATE_INTERVAL
to <minutes>
Cleared audit log AUDIT_EMPTY_AUDIT
Cleared system log AUDIT_EMPTY_SYSTEM
CLI prompt set to AUDIT_CLI_PROMPT
Configuration Reset and Reboot
AUDIT_GETH_CFG_REBOOT
executed:
Configuration: AUDIT_GETH_CFG_MSG
Configuration backup file created 4.4.0 AUDIT_CONFIG_CREATED
Configuration restored from backup file 4.4.0 AUDIT_CONFIG_RESTORED
Connection started AUDIT_SESSION_ACTIVE_START
Connection stopped AUDIT_SESSION_ACTIVE_STOP
Control Plane Ethertype 1 changed to: AUDIT_GETH_ETHERTYPE_FC0F_
2.2.0
<insert value> CHANGE
Control Plane Ethertype 2 changed to: AUDIT_GETH_ETHERTYPE_FC0E_
2.2.0
<insert value> CHANGE
CRL entry added - AUDIT_CRL_CFG_ADD
CRL entry changed - AUDIT_CRL_CFG_EDIT
CRL entry deleted - AUDIT_CRL_CFG_DEL
CRL : AUDIT_CRL_CFG_MSG
Default Gateway IP address set to AUDIT_DEFAULT_IP_GATEWAY
Electrical Link Loss Forwarding AUDIT_GETH_ELECTRICAL_LINK_
2.1.0
changed to LOSS_FWD_CHANGE
AUDIT_GETH_ELECTRICAL_LINK_
Electrical LLF tied to connection status 2.1.0
LOSS_SESSION_FWD_CHANGE
Ethertype default broadcast action
AUDIT_GETH_DEF_BROADCAST
changed:
Ethertype default multicast action
AUDIT_GETH_DEF_MULTICAST
changed:
Ethertype default offset usage changed: AUDIT_GETH_ETH_OFFSET_USE
Ethertype default unicast action
AUDIT_GETH_DEF_UNICAST
changed:
Ethertype Entry Added. AUDIT_GETH_ETYPE_ADD
Ethertype Entry Deleted. AUDIT_GETH_ETYPE_DEL
Ethertype Entry Edited. AUDIT_GETH_ETYPE_EDIT
Ethertype Notification. AUDIT_GETH_ETYPE_MSG
FIPS Mode has been changed AUDIT_FIPS140
AUDIT_GETH_CONNECTION_MODE_
Global Connection mode changed to
CHANGE
Global Connection mode Notification. AUDIT_GETH_CONNECTION_MODE_

124 SafeNet Virtualised Encryptor CV1000

  Appendix A-1 Audit log messages

Message Version Encryptor ID

MSG
AUDIT_GETH_CRYPTO_MODE_
Global Crypto mode changed: Algorithm 2.0.0
CHANGE
Global mode changed: AUDIT_GETH_MODE_CHANGE
Inband forwarding AUDIT_INBAND_FORWARD
AUDIT_GETH_BYPASS_IGMP_MLD_
IGMP/MLD Bypass <enabled/disabled> 2.2.0
CHANGE
Inband full arp AUDIT_INBAND_FULL_ARP
Inband gateway enable set to <insert
AUDIT_INBAND_GATEWAY
value>
Inband Gateway IP address set to
AUDIT_INBAND_IP_GATEWAY
<insert value>
Inband IP address set to <insert value> AUDIT_INBAND_IP
Inband management AUDIT_INBAND_ENABLE
Inband management circuit set to AUDIT_INBAND_VCI
Inband management VLAN tag change
2.0.0 AUDIT_INBAND_VLAN_TAG
request -
Inband management VLAN tagging AUDIT_INBAND_VLAN_ENABLE
Inband network IP mask set to AUDIT_INBAND_IP_MASK
Interframe gap changed: AUDIT_GETH_IFG_CHANGE
IP address set AUDIT_SYS_IP
IP Multicast Header Bypass AUDIT_GETH_BYPASS_IP_MC_HDR_
2.2.0
<enabled/disabled> CHANGE
IP Protocol Encryption Identifier AUDIT_GETP_IP_PROTOCOL_ENC_ID_
2.2.0
changed to: <insert value> CHANGE
Keypad AUDIT_KEYPAD_LOCK
Led test mode AUDIT_LED_MODE
Line mode changed: AUDIT_GETH_LINE_CHANGE
Link Autonegotiation changed: AUDIT_GETH_AUTO_NEGOT
Link control changed: AUDIT_GETH_LINK_CTRL
AUDIT_GETH_LINK_LOSS_FWD_
Link Loss Forwarding changed to
CHANGE
Link speed changed: 2.0.0 AUDIT_FC_LINK_CTRL
AUDIT_GETH_LINK_LOSS_SESSION_
LLF on connection status (line mode) is
FWD_CHANGE
Local Link monitoring changed: AUDIT_GETH_LINK_MON_CHANGE
Local Time set to AUDIT_SYS_LOCAL_TIME
Loopback set to AUDIT_FC_LOOPBACK_CHANGE
MAC Address Entry Added. AUDIT_GETH_MAC_ADD
MAC Address Entry Deleted. AUDIT_GETH_MAC_DEL
MAC Address Entry Edited. AUDIT_GETH_MAC_EDIT
MAC change Notification. AUDIT_GETH_MAC_MSG
Mgmt channel settings restored to
2.0.0 AUDIT_FC_MGMT_DEF
default.
Mgmt channel D_ID changed to 2.0.0 AUDIT_FC_MGMT_DID_CHANGE
Mgmt channel RCTL changed to 2.0.0 AUDIT_FC_MGMT_RCTL_CHANGE
Mgmt channel SOF k-word changed to 2.0.0 AUDIT_FC_MGMT_SOF_CHANGE
Management session inactive timeout
AUDIT_MGMT_SESSION_TIMEOUT
period set to
Manual reboot issued AUDIT_REBOOT
MPLS bypass changed: AUDIT_GETH_MPLS_CHANGE

SafeNet Virtualised Encryptor CV1000 125

 Appendix A-1 Audit log messages

Message Version Encryptor ID

Multicast ageing changed to 2.1.0 AUDIT_MC_AGEING_TIME
Multicast Default action changed to 2.1.0 AUDIT_MC_DEFAULT_ACTION
Multicast Management VLAN control
2.1.0 AUDIT_GETH_VLAN_MC_CHANGE
changed:
Multicast Management VLAN tag value AUDIT_GETH_VLAN_MC_TAG_
2.1.0
changed: CHANGE
Network IP mask set AUDIT_SYS_IP_MASK
New MAC processing changed: AUDIT_GETH_NEWMAC_PROC
New SNMP trap destination added: 2.0.0 AUDIT_TRAP_ADD
NTP server record added - AUDIT_NTP_CFG_ADD
NTP server record changed - AUDIT_NTP_CFG_EDIT
NTP server record deleted - AUDIT_NTP_CFG_DEL
NTP configuration AUDIT_NTP_MSG
Number of stacked VLAN id(s)changed AUDIT_GETH_VLAN_STACKED_
to CHANGE
Number of stacked VLAN id(s) noti-
AUDIT_GETH_VLAN_STACKED_MSG
fication
Observe Pending action on ingress AUDIT_GETH_OBS_PENDING_
changed to INGRESS
OCSP entry added - AUDIT_OCSP_CFG_ADD
OCSP entry changed - AUDIT_OCSP_CFG_EDIT
OCSP entry deleted - AUDIT_OCSP_CFG_DEL
OCSP : AUDIT_OCSP_CFG_MSG
Out-Of-Band management AUDIT_OOBAND_ENABLE
Password enhanced mode: AUDIT_PASSWORD_ENHANCED
Password lexical checking AUDIT_PASSWORD_LEXICAL
Password minimum length: AUDIT_PASSWORD_LENGTH
Password minimum lowercase char-
AUDIT_PASSWORD_LOWERCASE
acters:
Password minimum numerical char-
AUDIT_PASSWORD_NUMERICAL
acters:
Password minimum special characters: AUDIT_PASSWORD_SPECIAL
Password minimum uppercase char-
AUDIT_PASSWORD_UPPERCASE
acters:
Password reuse history size set to AUDIT_PASSWORD_REUSE
Power Supply mode changed to AUDIT_PSU_MODE
Reserved MAC Address Added. AUDIT_GETH_PROTMACADDR_ADD
Reserved MAC Address Deleted. AUDIT_GETH_PROTMACADDR_DEL
Reserved MAC Address Edited. AUDIT_GETH_PROTMACADDR_EDIT
Reserved MAC Address Notification. AUDIT_GETH_PROTMACADDR_MSG
Session added AUDIT_SESSION_ADD
Session deleted AUDIT_SESSION_DELETE
Session edited AUDIT_SESSION_EDIT
Shim insertion rate changed to AUDIT_SHIM_RATE
Shim MTU overflow prevention change
AUDIT_SHIM_MTU_OVERFLOW
to
SNAP observe PID as ethertype
AUDIT_GETH_SNAP_PID
changed:
SNMP Privacy Mode has been AUDIT_SNMP_PRIV
SNMP V1 read only access AUDIT_SNMPV1_ENABLE
STP monitoring changed to AUDIT_GETH_STP_MON
Syslog server record added - AUDIT_SYSLOG_ADD

126 SafeNet Virtualised Encryptor CV1000

  Appendix A-1 Audit log messages

Message Version Encryptor ID

Syslog server record changed - AUDIT_SYSLOG_EDIT
Syslog server record deleted - AUDIT_SYSLOG_DEL
Syslog configuration AUDIT_SYSLOG_MSG
System log wrapping AUDIT_SYSLOG_WRAP
Three failed login attempts - console
AUDIT_CONSOLE_LOCKED
locked
Timezone set to AUDIT_SYS_TIMEZONE
AUDIT_GETH_TRANSEC_BANDWIDTH_
TRANSEC bandwidth usage changed to
CHANGE
AUDIT_GETH_TRANSEC_FRAME_LEN_
TRANSEC frame length changed to
CHANGE
AUDIT_GETH_TRANSEC_HEADER_
TRANSEC header changed
CHANGE
AUDIT_GETH_TRANSEC_MODE_
TRANSEC mode DISABLED
CHANGE
AUDIT_GETH_TRANSEC_MODE_
TRANSEC mode ENABLED
CHANGE
Trap destination deleted: 2.0.0 AUDIT_TRAP_DELETE
Trap destination updated: 2.0.0 AUDIT_TRAP_EDIT
Tunnel (CI) Entry Added. AUDIT_GETH_CI_ADD
Tunnel (CI) Entry Deleted. AUDIT_GETH_CI_DEL
Tunnel (CI) Entry Edited. AUDIT_GETH_CI_EDIT
Tunnel (CI) Entry Started. AUDIT_GETH_CI_START
Tunnel (CI) Entry Stopped. AUDIT_GETH_CI_STOP
Tunnel (CI) Notification. AUDIT_GETH_CI_MSG
Tunnel Keep Alive changed to AUDIT_GETH_KEEP_ALIVE
Unit erased to factory default AUDIT_UNIT_ERASED
USB Port Lock Status changed to AUDIT_USB_LOCK
User account added AUDIT_USER_ADD
User account deleted AUDIT_USER_DELETE
User account edited AUDIT_USER_EDIT
User account made inactive: AUDIT_USER_LOCKED
VLAN header bypass changed: AUDIT_GETH_VLAN_CHANGE
Vlan Tunnel (CI) Entry Added. AUDIT_GETH_VLAN_CI_ADD
Vlan Tunnel (CI) Entry Deleted. AUDIT_GETH_VLAN_CI_DEL
Vlan Tunnel (CI) Entry Edited. AUDIT_GETH_VLAN_CI_EDIT
Vlan Tunnel (CI) Notification. AUDIT_GETH_VLAN_CI_MSG
Vlan Tunnel (CI) Entry Started. AUDIT_GETH_VLAN_CI_START
Vlan Tunnel (CI) Entry Stopped. AUDIT_GETH_VLAN_CI_STOP
Message based on template: [IPv{4/6}]
<name> ({En/Dis}abled) addr <IP
address>/<prefix> gw <gateway
address> 2.0.0 AUDIT_IF_ENTRY_CHANGE

Example: [IPv4] Inband Mgmt (Enabled)

addr 192.168.1.2/0 gw 192.168.1.1

Version numbers indicate the firmware release at which the message was introduced.

SafeNet Virtualised Encryptor CV1000 127

  Appendix A-2 Event log messages

Appendix A-2 Event log messages

Table 13. Event log messages

Message Version Senetas ID

Version numbers, where included, indicate the firmware release at which the message was intro-
duced.

SafeNet Virtualised Encryptor CV1000 128

 Appendix A-3 Alarm messages

Appendix A-3 Alarm messages

129 SafeNet Virtualised Encryptor CV1000

  Appendix A-3 Alarm messages

Table 14. Alarm messages

Message Version Encryptor ID
Audit log is full ALARM_AUDIT_LOG_FULL
CRL file processing error occurred 2.2.0 ALARM_CRL_FILE_PROC_ERROR
Encryptor link(s) down (speed mis-
ALARM_LINK
match or link down)
Local interface AIS ALARM_LOCAL_AIS
Local interface FERF ALARM_LOCAL_FERF
Local interface loss of cell delin-
ALARM_LOCAL_LCD
eation
Local interface loss of frame ALARM_LOCAL_LOF
Local interface loss of signal ALARM_LOCAL_LOS
Local interface RAI (Yellow) ALARM_LOCAL_RAI
Local port link down due to Electrical
2.1.0 ALARM_LOCAL_ELLF
Link Loss Forwarding (ELLF)
Local port link down indication ALARM_LOCAL_LINK
Network interface AIS ALARM_NETWORK_AIS
Network interface FERF ALARM_NETWORK_FERF
Network interface loss of cell delin-
ALARM_NETWORK_LCD
eation
Network interface loss of frame ALARM_NETWORK_LOF
Network interface loss of signal ALARM_NETWORK_LOS
Network interface RAI (Yellow) ALARM_NETWORK_RAI
Network port link down from Elec-
2.1.0 ALARM_NETWORK_ELLF
trical Link Loss Forwarding (ELLF)
Network port link down indication ALARM_NETWORK_LINK
Power supply removed turned off or
2.0.0 ALARM_POWER_REMOVED
faulty
Secure tunnel(s) are down 2.1.0 ALARM_TUNNEL_FAULT
Static sessions converted to Three
ALARM_DES_TO_3DES_UPGRADE
Key Triple DES
System log is full ALARM_SYSTEM_LOG_FULL
System noise source failure ALARM_SYS_NOISE
Transmit Underrun ALARM_TRANSMIT_UNDERRUN
WARNING - Audit log is over 75 per-
2.7.0 ALARM_AUDIT_LOG_NEAR_FULL
cent full
WARNING - Bandwidth is being clipped 4.3.0 ALARM_FPGA_BW_CLIPPING
WARNING - Default user credentials
ALARM_DEFAULT_USER
detected
WARNING - External Entropy file 80
2.7.0 ALARM_ENT_80_EXHAUSTED
percent exhausted
WARNING - External Entropy file 85
2.7.0 ALARM_ENT_85_EXHAUSTED
percent exhausted
WARNING - External Entropy file 90
2.7.0 ALARM_ENT_90_EXHAUSTED
percent exhausted
WARNING - External Entropy file 95
2.7.0 ALARM_ENT_95_EXHAUSTED
percent exhausted
WARNING - External Entropy file
100 percent exhausted - reverting to 2.7.0 ALARM_ENT_100_EXHAUSTED
internal source
WARNING - Jumbo Packets present and
ALARM_JUMBO_PACKETS
dropped, please reduce MTU at source
WARNING - System log is over 75
2.7.0 ALARM_SYSTEM_LOG_NEAR_FULL
percent full

SafeNet Virtualised Encryptor CV1000 130

 Appendix A-3 Alarm messages

Version numbers indicate the firmware release at which the message was introduced.

131 SafeNet Virtualised Encryptor CV1000

  Appendix A-4 SNMP trap messages

Appendix A-4 SNMP trap messages

SafeNet Virtualised Encryptor CV1000 132

 Appendix A-4 SNMP trap messages
Table 15. SNMP trap messages
OID
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.2
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.3
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.4
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.5
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.6
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.7
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.8
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.9
OBJECTS { sysLocalTime, sysAlarmDescr }
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.10 “A failed attempt to log into the CLI interface on this encryptor. A
failed attempt is classified as three successive failed login
attempts.”
eventColdStart NOTIFICATION-TYPE
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.11
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.12
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.16
133
Meaning
eventNetworkLinkUp NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“Link Up condition detected on network port”
eventNetworkLinkDown NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“Link Down condition detected on network port”
eventLocalLinkUp NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“Link Up condition detected on local port”
eventLocalLinkDown NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“Link Down condition detected on local port”
eventEncryptorLinkUp NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“Encryptor Link is Up (signifies both local and network ports are
up)”
eventEncryptorLinkDown NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“Encryptor Link is Down (signifies one or both of the local or net-
work ports is down).”
eventLogIn NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“A successful login has occurred on the CLI for the encryptor.”
eventLogOut NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“A user has logged out of the CLI interface on this encryptor”
alarmLogInFailed NOTIFICATION-TYPE
OBJECTS { sysLocalTime }
“A unit cold start has occurred”
NB: The standard net-snmp coldstart trap will be received in
addition to a coldstart or warmstart trap given here.This should
be ignored as it relates to the SNMP stacks state, and not the
platforms state.
eventWarmStart NOTIFICATION-TYPE
OBJECTS { sysLocalTime }
“A warmstart has occurred. Typically requested from a CLI or
SNMP operation.”
fipsModeChange NOTIFICATION-TYPE
OBJECTS { fipsMode }
“Notification of a change in the FIPS mode, including the new
fipsMode.”
SafeNet Virtualised Encryptor CV1000
  Appendix A-4 SNMP trap messages

Table 15. SNMP trap messages(continued)

OID Meaning
auditPasswordLexicalChange NOTIFICATION-TYPE
OBJECTS { sysLocalTime, sysAlarmDescr }
“One of the following password lexical parameters changed:
sysUserAccessPasswordMinLength
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.17 sysUserAccessPasswordMinUppercase
sysUserAccessPasswordMinLowercase
sysUserAccessPasswordMinNumerical
sysUserAccessPasswordMinSpecial”

alarmRaised NOTIFICATION-TYPE
OID: 1.3.6.1.4.1.3534.3.1.1.3.1.1 OBJECTS { sysLocalTime, sysAlarmDescr }
An alarm was raised by the encryptor:
003 ALARM_SYS_NOISE "System noise source failure"
004 ALARM_LOCAL_LINK (set) "Local link down"
004 ALARM_LOCAL_LINK (cleared) "Local link up"
005 ALARM_NETWORK_LINK (set) "Network link down"
005 ALARM_NETWORK_LINK (cleared) "Network link up"
008 ALARM_SYSTEM_LOG_FULL "System log is full"
009 ALARM_AUDIT_LOG_FULL "Audit log is full"
010 ALARM_LOCAL_LOS "Local interface loss of signal"
011 ALARM_LOCAL_LOF "Local interface loss of frame"
012 ALARM_LOCAL_LCD "Local interface loss of cell delineation"
013 ALARM_LOCAL_AIS "Local interface AIS"
014 ALARM_LOCAL_FERF "Local interface FERF"
015 ALARM_LOCAL_RAI "Local interface RAI (Yellow) "
020 ALARM_NETWORK_LCD "Network interface loss of cell delineation"
021 ALARM_NETWORK_AIS "Network interface AIS"
022 ALARM_NETWORK_FERF "Network interface FERF"
023 ALARM_NETWORK_RAI "Network interface RAI (Yellow) "
024 ALARM_NETWORK_LOS "Network interface loss of signal"
025 ALARM_NETWORK_LOF "Network interface loss of frame"
030 ALARM_TRANSMIT_UNDERRUN "Transmit Underrun"
042 ALARM_TOP_POWER_REMOVED "Power supply A (Top) not present"
053 ALARM_BOT_TMP_FAIL "Power supply B (Bottom) alarm -exceed temperature limit"
056 ALARM_LINK "Encryptor link is down”
057 ALARM_LOCAL_LLF (set) "Local link down due to Link Loss Forwarding (LLF)"
057 ALARM_LOCAL_LLF (cleared) "Local link recovered from LLF"
058 ALARM_NETWORK_LLF (set) "Network link down due to Link Loss Forwarding (LLF)"
058 ALARM_NETWORK_LLF (cleared) "Network link recovered from LLF"
060 ALARM_DEFAULT_USER "WARNING -Default user credentials detected"
061 ALARM_DES_TO_3DES_UPGRADE "Static sessions converted to Three Key Triple DES"
072 ALARM_JUMBO_PACKETS "WARNING -Jumbo packets present and dropped. Please reduce MTU at
source"
074 ALARM_CRL_FILE_PROC_ERROR "CRL file processing error occurred"
076 ALARM_MASTER_MISSING "Master Unit has stopped supplying keys, Generating own keys"

SafeNet Virtualised Encryptor CV1000 134

Command Line Interface (CLI)

Command Line Interface (CLI)

The CLI commands required to initially configure an encryptor are described below.
All Senetas encryptors provide a Command Line Interface (CLI) that can be accessed using a ter-
minal emulator connected to the serial ‘craft’ interface. The functionality provided by the CLI is sim-
ilar to that provided by CM7, however the latter is required for the activation and/or certification of
units.
The CLI information is organised as follows:
l description of access
l logon process
l command formatting
l alphabetic listing of commands
The sections that follow describe the overall functionality of the CLI and then, in alphabetic
sequence, each of the commands.
The Command Line Interface (CLI) is provided via an RS232 serial connection that allows a PC to
log onto and issue commands to the encryptor. The PC requires a suitable terminal emulation pro-
gram. The CLI provides the ability to configure and manage most of the encryptor's settings.

CLI connection
The Command Line Interface (CLI) operates through the serial connection. It requires a user account
on the encryptor; the user must login with the same authentication password as used with CM7. The
CLI enforces a 3-try, 3-minute lockout process to prevent automated attacks; a session timeout is
used to log the user out after 10 minutes of inactivity.
The CLI provides a comprehensive management capability including the ability to configure encryp-
ted connections, manage user accounts and view log records and alarms.

Customising the command line interface

A number of CLI messages can be tailored to the needs of users. The pre-login and post-login mes-
sages can be used to provide network advice and identify and confirm the specific encryptor that has
been discovered and subsequently logged in to.
The Prompt message is shown ahead of the CLI command prompt and is usually set to a string that
uniquely identifies the unit that you have logged in to.
The Command Line Interface can be customised as follows:
l Configurable prompt
l Configurable pre-login and post-login banner messages
The prompt is the text string that is displayed ahead of the ‘>’ symbol to identify the encryptor that
you are connected to. It can be used to show the unit's logical name within the network, or perhaps
the physical location.
The pre-login banner message is displayed on the controlling terminal prior to the LOGIN prompt. It
lets the user know that they have a physical connection to the unit.
The post-login banner message is displayed after a successful login to the CLI. It can be used to
provide confirmation of the encryptor's identity, or provide other management information to the user.

Table 16. CLI user prompts

Feature Description
Pre-Login Banner The message that will be displayed before the user logs in
Post-Login Banner The message that will be displayed after the user logs in
Prompt The prompt that will be displayed in the CLI

Examples of these messages are:

135 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

This message is shown when connected to the CLI prior to logging in.
LOGIN:admin
PASSWORD:**********
This message is shown after logging in on the Command Line Interface and
prior to the prompt.
CV1000_A>

The ‘CLI prompt’ can also be set using the CLI prompt command as shown on page 161.
When a user connects to the console port, the encryptor will prompt for a user name and user authen-
tication password. Access is denied if the user name and/or password are invalid. After three failed
attempts the console will be locked for three minutes.
After access is granted, the console port presents a command prompt and provides access to the
command line interpreter so that configuration parameters can be viewed and/or changed. The CLI
enforces the same user-role privileges as those required for SNMP management.
Users are automatically logged out if there has been no user input on the console port for ten
minutes.
A list of available commands can be obtained by typing help. Additional help can be obtained on
each command by appending –h to any of the commands.
Commands give appropriate error messages when used incorrectly or with incorrect parameters.
The console supports a command history buffer that is 25 commands deep. The buffer may be
accessed by using the up and down arrow keys to cycle through it.

Commands
Each of the commands is described in the pages that follow, including a table that defines the applic-
ability of the command, a description, the command format and examples of its use.
Where a command requires a hexadecimal argument, the value is usually entered in the 4 character
(hhhh) form. CLI output will usually display hax values in the Hhhhh form, however this document
specifies them using the 0xhhhh form.
.

Note:
The encryptor will not be damaged by anything you type into the CLI.

activate
The activate command is usedencryptors to change the default credentials.
Format: 
activate<CR>
-e enable encryptor for activation
-d disable activation
-l perform local activation
-v verify hash code
CV1000_A>activate -e
Activate mode enabled. Awaiting Hash!
CV1000_A>activate -v
EF3233252A3B57A127E7812EAB274363EA4562FB3213BA68231EF3a
Confirm (y/n)?y
Encryptor is activated

SafeNet Virtualised Encryptor CV1000 136

Command Line Interface (CLI)

CV1000_A>activate -l
Account[admin]
Password>newPassword
Password>newPassword
Confirm[y/n]y
Encryptor is activated
CV1000_A>

The activate command provides a secure method of changing the credentials of the ‘admin’
account from the default settings of admin/$Password1 to those specified by the customer, thus ‘activ-
ating’ the unit. Certificates cannot be loaded until the encryptor has been activated.
Activation requires that the encryptor be placed in activate mode (-e) after which CM7 displays the
encryptor's activation digest and allows entry of the new credentials. When the supplied credentials
have been transferred to the encryptor and the digest verified (-v), the unit is activated.
The -l option allows activation to be performed using the CLI only. When the command is executed
the user is asked to enter the new credentials. Note that for physical encryptors local activation
should only be used in a secure environment where the management system is local to the CLI port.

alarm
The alarm command is used to display the current state of the alarm table and allows Administrators
and Supervisors to acknowledge individual alarms.
 Format:
alarm<CR> List all active alarms
-a <x> <y> Acknowledge alarms x,y, etc. Where x > y
-a * Acknowledge all alarms
-n Print the number of active alarms
Example:
alarm -a Acknowledge all alarms

CV1000_A>alarm
Alarm count = 4 Unacknowledged count = 4
(001): id=004 02/12/2003 15:13:16 ACTIVE_NAK Local port link down indication
(002): id=005 02/12/2003 15:13:16 ACTIVE_NAK Network port link down indication
(003): id=010 02/12/2003 15:13:10 ACTIVE_NAK Local interface loss of signal
(004): id=024 02/12/2003 15:13:09 ACTIVE_NAK Network interface loss of signal
Alarm conditions that occur will be listed in the table with a state of ACTIVE_NAK (not acknow-
ledged) at the same time an event log message is logged and a trap will be sent out if one or more
trap handlers are configured.
Once acknowledged, an alarm state becomes ACTIVE_ACK (acknowledged); the alarm will remain
in the table until the condition goes away.
If an alarm condition occurs and disappears before a user has acknowledged it then it will remain in
the table in a state of INACTIVE_NAK. As soon as the alarm is acknowledged it will disappear from
the alarm table as it is no longer in the active condition.

audit
The audit command is used to list records in the audit log.
 Format: 
audit<CR> List the audit log
-l <n> List the last n records in the log

137 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

audit<CR> List the audit log

-s <n> List records in the log starting from n
-n Print the number of records in the log
-c Clear the audit log
-w <on|off> Turn wrapping on or off

Example:
CV1000_A>audit
Number of audit records is 1
Log wrapping enable
(1): 24/11/2003 16:24:48 User account added as follows Id: admin, Name: administrator,
Status: yes, Level: administrator, Console: yes, Snmp: yes
The audit log is a non-volatile record of changes made to the system configuration. Each record is
time-stamped and contains the id of the user making the change as well as a detailed description of
exactly what was done.
The records are displayed a page at a time and there are twelve records in each page. After the first
twelve audit records have been displayed the user can press <enter> to display the next record,
press the <space> bar to display twelve more records or press <C> to display all the remaining
records in the audit log.
The audit log (like the event log) has a maximum record count of 4000. When the log fills up, new
messages can either be discarded (wrapping mode disabled) or added to the log, replacing the pre-
vious oldest message (wrapping mode enabled).
The audit command allows Administrators to set the wrapping mode for the log as well as the ability
to clear the log.

autodisco
The autodisco command turns MAC address auto-discovery on or off and allows the Multicast ses-
sion timeout period to be specified.
Format:
display current automatic session dis-
autodisco<CR>
covery status
‘u’ or ‘m’ to limit to Unicast or Multicast,
-a for Multicast only, specifies the time
[-e[u|m]][-d[u|m]][-a minutes]
in minutes after there is no traffic that
the session is removed
-e L2 Enable auto discovery at Layer2
-d L2 Disable auto discovery at Layer2
-e L3 Enable auto discovery at Layer3
-d L3 Disable auto discovery at Layer3
-e L4T Enable auto discovery at Layer4 TCP
-d L4T Disable auto discovery at Layer4 TCP
-e L4U Enable auto discovery at Layer4 UDP
-d L4U Disable auto discovery at Layer4 UDP
Example 1: View current setting
CV1000_A>autodisco
Layer2 Autodiscover : disabled
Layer3 Autodiscover : disabled
Layer4 TCP Autodiscover : disabled
Layer4 UDP Autodiscover : disabled

SafeNet Virtualised Encryptor CV1000 138

Command Line Interface (CLI)

Example 2: Enable automatic session discovery

CV1000_A>autodisco -e
Automatic session discovery enabled

autopop
The autopop command enables or disables auto-population of connections.
Format:
Display current Automatic population
autopop<CR>
status
-e Enable auto population of CIs
-d Disable auto population of CIs

When auto population is enabled, the connection table will be cleared, the encryptor will reboot and
as a result the iprules table will be cleared.

Example 1: Enable auto population

CV1000_A>autopop -e
Warning this command will delete existing connections and reboot the encryptor

Do you wish to proceed (y/n) Y

Automatic Populate enabled
CV1000_A>

banner
The banner command is used to view and modify the Pre-Login and Post-Login strings that are dis-
played on the CLI console prior to and after the user logs in.
Format: 
banner<CR> Display current Banners
-r <string> Update pre-login banner
-o <string> Update post-login banner

Example 1: View current settings (no banners)

CV1000_A>banner

Pre-login Banner:

Post-login Banner:

CV1000_A>

Example 2: Set Pre-login Banner

CV1000_A>banner -r
Enter pre-login banner text, max 2559 characters.

139 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Press <CTRL>D on a new line to finish

0000 :Access is restricted to IT staff

0033 :

Press a to accept, d to discard

Changes applied
CV1000_A>

During entry of banner text each line is prefixed with the count of the number of characters already
entered.
Pressing <CTRL>D on the first line and then accepting the entry clears the banner text.

community
The community command is used to view and modify the Community string that is used in SNMPv1
messages.
Format: 
community<CR> Display the current Community string
-s name Set the SNMP community string

con
The con command is used to view and modify an Ethernet encryptor's multipoint connection policy
Format: 
con <CR> Display current Connection policy
-m Enable MAC Connection mode
-v Enable VLAN Connection mode
-i Enable ISID Connection mode

The connection policy defines the remote ID on which the connection policy will be based when the
encryptor is in Multipoint mode. The command is not available if the encryptor is in Point-to-
point/Line mode.
When in TIM mode the policy is based on the rules defined within the IP Rules table. Inband man-
agement is not available in TIM mode and all inband settings are ignored.

date
The date command is used to view and change an encryptor's internal date and time. The com-
mand uses the international date format (ISO 8601), yyyy-mm-dd hh:mm:ss
Format: 
date<CR> View date and time
<date> Set the ‘date’ part as specified
<time> Set the ‘time’ part as specified

Example 1: View current settings

CV1000_A>date

SafeNet Virtualised Encryptor CV1000 140

Command Line Interface (CLI)

2004-11-01 16:27:41 up 3 days 00:05

Example 2: Set date:

CV1000_A>date 2004-10-28
Setting to Thu Oct 28 16:28:27 2004

Example 3: Set time:

CV1000_A>date 13:11:20
Setting to Thu Oct 28 13:11:20 2004

Without any flags, this command will display the unit’s current date and time and also how long it has
been since the unit was last restarted. The date and or time may be set using the format shown
above. This command allows independent setting of the date and time or the coordinated setting of
both the date and the time. As long as the format is correct, the command will accept the input and
adjust the date/time accordingly.
Encryptors with firmware prior to v2.4 do not support the notion of time zones. All peer encryptors
(with secure connections between them) must be set to a common reference time so that the secure
session establishment process can successfully authenticate each others credentials (including cer-
tificate validity period).

Format: 
Note:
It is very important to set the time in a factory default unit. Failing to do so will cause the
encryptor to believe it has been tampered with, which will result in all user and connection
information being erased when the unit next reboots

erase
The erase command erases the current configuration of the unit and reboots into factory default
state.
Format: 
erase<CR> erases the encryptors configuration
- f fully erase unit including the front panel IP addess

Example:
CV1000_A>erase
Warning this command will erase the configuration to factory defaults do you wish to pro-
ceed ? (y/n) y
Are you sure ? (y/n) y
Erasing unit and rebooting . . .

All user and connection entries will be deleted (unless the -f option is used, the configured IP
address will, however, be preserved).
After an erase command has been issued, no traffic will flow through the encryptor and the unit will
need to be reconfigured.

141 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

event
The event command displays the event log, allows the log to be cleared and controls the wrapping
mode of the log.
Format:
event<CR> List the events
-l <n> List the last n records in the log
-s <n> List records in the log starting from n
-n Print the number of records in the log
-c Clear the event log
-w <on|off> Turn wrapping on/off

Example: CV1000_A>event

Number of event records is 13

Log wrapping enabled
(1): 24/11/2003 16:24:44 System started
(2): 24/11/2003 16:24:47 Alarm set: Network interface loss of signal
(3): 24/11/2003 16:24:48 Alarm set: Local interface loss of signal
(4): 24/11/2003 16:24:52 Alarm set: Network port link down indication
(5): 24/11/2003 16:24:53 Alarm set: Local port link down indication
(6): 24/11/2003 16:44:21 System started
(7): 24/11/2003 16:44:23 Alarm set: Network interface loss of signal
(8): 24/11/2003 16:44:23 Alarm set: Local interface loss of signal
(9): 02/12/2003 15:13:08 System started
(10): 02/12/2003 15:13:10 Alarm set: Network interface loss of signal
(11): 02/12/2003 15:13:10 Alarm set: Local interface loss of signal
(12): 02/12/2003 15:13:16 Alarm set: Network port link down indication
(13): 02/12/2003 15:13:16 Alarm set: Local port link down indication

The event log is a non-volatile record of significant events that have occurred. Each record is time-
stamped and contains a detailed text description of the event details.
The event log (like the audit log) has a maximum record size of 4000. When the log fills up, new mes-
sages can either be discarded (wrapping mode disabled, the default) or added to the log, replacing
the previous oldest message (wrapping mode enabled).
The event command allows Administrators to set the wrapping mode for the log as well as the ability
to clear the log.

ftpcfg
The ftpcfg command is used configure and manage the access to remote FTP servers.
Format: 
ftpcfg<CR> Show FTP remote server settings
-a Add remote FTP server entry.
-d <idx> Delete FTP remote server entry.
-e <idx> Edit FTP remote server entry.
-c Clear all remote FTP server settings.
-r <on|off> Restrict FTP access to listed servers only.

SafeNet Virtualised Encryptor CV1000 142

Command Line Interface (CLI)

ftpcfg<CR> Show FTP remote server settings

-s Show public key for SFTP upgrades.
Example:

global
The global command sets the top level processing policy for received Ethernet frames in both Point-
point (line) and multipoint modes.
Format: 
global<CR> Display current global mode status
-b Set global mode to Bypass
-d Set global mode to Discard
-e Set global mode to Encrypt

Example 1: View current settings

CV1000_A>global
Global mode: bypass

Example 2: Set global mode to encrypt

CV1000_A>global -e
Global mode set to encrypt

The global policy can be set to one of the following three settings:

Bypass - all Ethernet frames are passed through the encryptor regardless of any
other policy settings
Discard - all Ethernet frames are discarded by the encryptor regardless of any other
policy settings
Encrypt - all Ethernet frames have ethertype and if applicable Remote ID (MAC or
VLAN) policies applied to determine the ultimate action that is applied to them

help
The help command displays information on the available console commands. Individual command
may be run with the –h flag to get help on that commands.
Format: 
help<CR> List all of the available commands

Example:

CV1000_A>help
alarm - View, clear & acknowledge alarms
audit - View the audit log
event - View the event log

143 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

reboot - Reboot the unit

users - View/edit system users
ip - View/edit ip, mask and gateway addresses
date - View/edit date and time
inband - View/change inband settings
sessions - View/edit session details
version - Display version information.
erase - Erase unit
fips - View/change FIPS operation mode
password - View/change user password policy
passphrase - Set SafeNet sae1 compatible passphrase
help - List all available commands
history - Print command history
logout - Logout from console
prompt - Change the console prompt
Try ‘command -h’ for more detailed help

The help command lists all the available console commands and a brief description of their function.
Further information can be found on any individual command by typing command –h.

history
The history command shows the command history for the current CLI session.
Format: 
history<CR> List command history

Example:

CV1000_A>history

01: date
02: users
03: pvc
04: help
05: ip -s
06: pvc
07: sessions
08: fips
09: history

Previous commands are stored in a 25-deep command history buffer. The up arrow and down arrow
keys cycle forwards and backwards through the buffer and allow any previous command (and all its
parameters) to be executed by pressing ENTER.
Every time a user Logs in and out of the console the history buffer is cleared.

SafeNet Virtualised Encryptor CV1000 144

Command Line Interface (CLI)

hostname
The hostname command is used to set the hostname of the encryptor. The command is not avail-
able on encryptors prior to firmware v2.7.1
Format:
hostname<CR> Display current hostname
-s <hostname> Set the hostname

initcfg
The initialise configuration (initcfg ) command is used to re configure the encryptors security policy
to known starting conditions.
Format:
initcfg<CR> Displays this help
-a Reset tunnel/CI, MAC and global config to defaults and reboot
-c Reset tunnel/CI, MAC to defaults and reboot
-g Reset global config to default and reboot
-1 Test level 1 defaults
-2 Test level 2 defaults
-3 Test level 3 defaults (line mode only)
-4 Test level 4 defaults (line mode only)

Example: Reset global config

CV1000_A>initcfg -a
Warning this command will reset all tunnel/CI, MAC and global data to their factory
defaults and reboot the unit!
do you wish to proceed ? (y/n) y
Are you sure ? (y/n) y
Resetting config and rebooting

This command affects the operating mode, ethertype policy, connection identifiers, MAC tables, eth-
ertype diagnostics state and global policy only; it will not change any other configuration settings.

-a flag
Resets all security policies to factory default settings as follows:

Setting Value after command

Operating mode Meshed
Global policy Discard
Auto-Discovery policy Enabled
Tunnels All existing entries deleted, tunnels set to:
CI Origin Action State Peer Name Remote Encryptor MAC MAC Header
---- -------- -------- -------- ---------------- -------------------- ----------------
0001 PENDING Discard Up N/A
0002 System Discard Up N/A
0003 System Bypass Up N/A
Ethertype policy

145 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Set to:
Offset Encryption Mutate Mutated Injected
Ethertype Enable Offset Enable Ethertype Unicast Multicast Broadcast NonMutant
--------- ------ -------- ----- --------- --------- --------- --------- ---------
H05ff N H0 NA UseCI Bypass Bypass NA
H0800 N H14 Y Hf800 UseCI Discard Bypass Discard
H0806 N H0 N Hf806 Bypass Discard Bypass Bypass
H86dd N H28 Y Hf6dd UseCI Discard Bypass Discard
H8808 N H0 N Hf808 Bypass Bypass Bypass Bypass
H8809 N H0 N Hf809 Bypass Bypass Bypass Bypass
H88cc N H0 N Hf8cc Bypass Bypass Bypass Bypass
H9000 N H0 N Hf000 Bypass Bypass Bypass Bypass
Other N H0 NA UseCI Discard Discard NA
Local/Network MAC tables
All entries are deleted
Executing this command forces a reboot of the encryptor.

-c flag
Resets connection policies as follows:

Setting Value after command

Operating mode NO CHANGE
Global policy NO CHANGE
Auto-Discovery policy NO CHANGE
Tunnels All existing entries deleted, tunnels set to:
CI Origin Action State Peer Name Remote Encryptor MAC MAC Header
---- -------- -------- -------- ---------------- -------------------- ----------------
0001 PENDING Discard Up N/A
0002 System Discard Up N/A
0003 System Bypass Up N/A
Ethertype policy NO CHANGE
Local/Network MAC tables Deleted

-g flag
Resets global policies as follows:

Setting Value after command

Operating mode Meshed
Global policy Discard
Auto-Discovery policy Enabled
Tunnels
NO CHANGE
Ethertype policy
Set to:
Offset Encryption Mutate Mutated Injected
Ethertype Enable Offset Enable Ethertype Unicast Multicast Broadcast NonMutant
--------- ------ -------- ------ -------- --------- --------- --------- ---------

SafeNet Virtualised Encryptor CV1000 146

Command Line Interface (CLI)

H05ff N H0 NA UseCI Bypass Bypass NA

H0800 N H14 Y Hf800 UseCI Discard Bypass Discard
H0806 N H0 N Hf806 Bypass Discard Bypass Bypass
H86dd N H28 Y Hf6dd UseCI Discard Bypass Discard
H8808 N H0 N Hf808 Bypass Bypass Bypass Bypass
H8809 N H0 N Hf809 Bypass Bypass Bypass Bypass
H88cc N H0 N Hf8cc Bypass Bypass Bypass Bypass
H9000 N H0 N Hf000 Bypass Bypass Bypass Bypass
Other N H0 NA UseCI Discard Discard NA
Local/Network MAC tables NO CHANGE

Test mode levels

-1|2|3|4 flag
The initcfg command also provides a number of configuration test levels. These are a sequence of
pre-determined policy settings intended to assist in problem resolution during network installation or
testing.
These test levels replace the normal defaults with pre-defined settings for the purposes of detecting
non-compliant network behaviour.
The intent is for tests to be carried out sequentially from numerically low to high-level settings in
order to assist in profiling the operational network.
The test levels may assist in resolving traffic flow problems of the following nature:
l Inability to pass encrypted traffic
l Intermittent connectivity when encrypting traffic
l Inability to pass traffic of a particular ethertype
These settings are intended for network testing only and should not be used for operational pur-
poses.

inventory
The inventory command is used to list the details of the encryptor's control and interface modules.
Format: 
inventory<CR> Display inventory details

Example: View inventory

CV1000_A>
CV1000_A>inventory
======================================================================
Management Module
----------------------------------------------------------------------
Board Number = B2010A005-51
Description = System Module
Serial Number = 00D01F030219
Software Version = 2.7.1
Software Description = System Management Software
Build ID = 5.C245
Build Number = 1302757132

147 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Build Date & Time = 14-Apr-2017 14:58:52

======================================================================
Interface Module
----------------------------------------------------------------------
Board Number = B2084A001-51
Description = Gigabit Ethernet Crypto I/F Card
Serial Number = 00D01F030470
Software Version = 2084 v2.2.16
Software Description = Interface Module Firmware
Build ID = N/A
Build Number = N/A
Build Date & Time = N/A
CV1000_A>

ip
The ip command is used to configure the unit’s management port IPv4 (idx=1) and IPv6 (idx=2)
addresses.
Format: 
ip<CR> Show IP management settings
Edit IPv4/IPv6 management set-
-s <idx><addr>/<prefix><gw>
tings
Enable interface entry (idx = 1-
-e <idx>
4)
Disable interface entry (idx = 1-
-d <idx>
4)

Set auxiliary mgmt interface

-a <disabled|isolated|bridged>
operational mode
Enable/Disable auxiliary inter-
-g <-e | -d>
face as inband gateway
-c <value>/<> Set/reset DSCP value
Set/reset DSCP value on aux-
-x <value>/<>
iliary interface.

Example 1: View current settings:

CV1000_A>ip
Index Port Status AF Address/Prefix
                                    Gateway
----- -------------- -------- ---- -----------------------------------------
01 Management Enabled  IPv4 172.16.6.20/16
                                    172.16.1.1
02 Management   Disabled IPv6 ::1:1:1:2/96
                                    ::1:1:1:1
03 Inband Mgmt(0) Disabled IPv4 2.1.1.2/16
                                    2.1.1.1

Auxiliary Management Port: Disabled

Inband Management Gateway Enabled: N

SafeNet Virtualised Encryptor CV1000 148

Command Line Interface (CLI)

Main Interface DSCP value: 0

Front Panel Ethernet Port:
Configured: Auto Negotiation: Enabled
Maximum Advertised Rate: 100 Mbit/s, Full Duplex.
Current Status: Link State: Up
Auto Negotiation Status: Complete
Actual Rate: 100 Mbit/s, Full Duplex.
Link Partner: Maximum Advertised Rate: 100 Mbit/s, Full Duplex.

Example 2: Set new IPv4 address:

CV1000_A>ip -s 1 10.0.33.80/16 10.0.1.254

Example 3: Set new IPv6 address:

CV1000_A>ip -s 2 2001:0db8:3c4d:0015:0:0:abcd:ef12/32 2001::abcd:1234

-s flag
The IP address table consists of threefour fixed entries:
1. Management port IPv4 address.
2. Management port IPv6 address.
Each entry can be configured using ip –s <idx> addr/prefix gw.
Where:

<idx> is the table index (1,2,3 or 4)

addr/prefix is the v4 or v6 address and prefix
gw is the default gateway for this port

IPv6 addresses are entered using the standard address format and abbreviations.

-e flag -d flag
These flags are used to either disable or enable the related option.

-c flag
Sets (or resets) the main ports DSCP value. The DSCP (Differentiated Services Code Point) value
may be required to meet the QoS policy requirements of the management network.

-x flag
Sets (or resets) the auxiliary ports DSCP value.

-a flag
Sets the state of the auxiliary management interface. The options are:

disabled (the default) which makes the interface unavailable

isolated, which enables a separate interface that allows an isolated network to man-
age the encryptor.
bridged, which allows the encryptor to pass through front panel management com-
mands to additional encryptors that are linked via the auxiliary port to their front panel.

-g flag

149 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Enables the auxiliary port (if in isolated mode) to be used as an gateway to inband gateway for the
management of remote encryptors.

iprules
The iprules command is used when an encryptor is operating in TIM mode to establish the IP policy
rules for L3/L4 Ethernet traffic
The iprules table further defines IPv4/IPv6 policy lookups based on IP address, IP next protocol
fields and TCP/UDP port numbers.
The IP address search is based on a longest prefix match (LPM), and several subnetted entries may
be required to fully prescribe policy.
The iprules command matches destination IP address and destination TCP/UDP port.

The Ethertype policy (for IPv4 or IPv6 only) must be set to L3/L4 for the iprules to take effect.
Iprules can be either added or deleted. Edit operations are not allowed on existing Iprules.
The iprules feature allows the user to specify an IP address, IP address subnet mask, IPv4/IPv6 pro-
tocol/next header and TCP/UDP port number (if applicable) to;
l Encrypt at layer 2
l Encrypt at layer 3
l Encrypt at layer 4
l Bypass
l Discard
Any combination of the above can simultaneously be active. One subnet can be encrypted at L3
whilst another at L2, whilst another is discarded, etc.

Format: 
iprules<CR> Show IP policy settings

Add IP rule Port numbers only valid for

-a <addr>/<prefix>
TCP/UDP
   <protocol_id>
   <port_number>
   <d|b|c12|c13|c14>
-d <idx> Delete IP rule
-c Clear all rules
-u <d|b|c12|c13|c14> Action for unlisted IP addresses

Iprules is used to set specific policies for each subnet of IP Addresses that can be further fine
grained for specific transport layer protocols. For TCP/UDP over IP, specific policies can be set for
port numbers as well. In case of multiple rules with similar IP address and subnets, it's always the
longest matching subnet prefix, that will take precedence. cl2/cl3/cl4 can be used to set the protocol
layer at which encryption is needed. cl4 implies encryption of layer4 payload and is only supported
for TCP/UDP

Displaying the current IP rules

CV1000_A>iprules
IP policy rules
Index Address Netmask Protocol Port Action
----- ------------------ ------- -------- ----- --------------

SafeNet Virtualised Encryptor CV1000 150

Command Line Interface (CLI)

1 192.168.1.0 24 * * Encrypt L3
2     192.168.1.20 32 6 * Encrypt L4
3 192.168.1.22 32 1 * Discard
4 192.168.1.22 32 88 * Bypass
5     192.168.1.22 32 6 20 Encrypt L3
6 192.168.1.22 32 6 * Discard
7 192.168.1.22 32 6 22 Encrypt L4
8 192.168.1.20 32 17 * Bypass

Setting an IP rule
CV1000_A>iprules -a 200.0.0.10 * c13
Action set to CryptLayer3!
CV1000_A>iprules -u b
Unlisted IP address Default action set to bypass!
CV1000_A>iprules

IP policy rules

Index  Address                                   Netmask Protocol Port Action

----- ----------------------------------------- ------- ------- ----- ----------
   1   200.0.0.10                                   32       * * Layer 3

Default action set to: Bypass

CV1000_A>

kdf
The kdf command is used to generate and display a new Key derivation key. The key can be copied
and distributed to peer encryptors to enable encryption.
Note that any existing Key derivation key within the encryptor is erased.
Note; if a KDK key is to be activated at a given date and time and NTP causes the time to shift more
than an hour, the KDK key will be removed and a new KDK key is required to be generated.
Format: 
kdf<CR> View
-g Generate and display a new Key Derivation Key
-k <key> Paste Key Derivation Key to encryptor

Examples:

Pressing <CR> displays the SHA-256 hash of the encryptors kdf key. This can be used to verify that
the same key has been installed on all of the encryptors.

CV1000_A>

Installed key Derivation status ...

HASH::

151 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

9a7c80afa55d9d8550a4498961cf3c9b172210bf63897b60e0560fc818acba294

The -g option is used to generate a new kdf key using the encryptor's entropy source.

CV1000_A>kdf -g

This will destroy the current Key derivation key.

and install a new one. It will be displayed once for distribution.
Do you wish to continue (y/n) ?y

Key Derivation Key:

bd6db004257ca63c1b8a0d42a051485fa859c0fbf7f463c07d47c2961ad377dd
HASH:
9a7c80afa55d9d8550a4498961cf3c9b172210bf63897b60e0560fc818acba294
CV1000_A

.
When a key is generated its value is displayed once (and once only). The kdf key value should then
be installed on all encryptors wihin the same network using the -k option.

CV1000_A> kdf -k 8b0b-

f71ad7a70e434063dccf21c5fbf3fd9608eb324321ed56288bfabec5039e
Key derivation key successfully installed

HASH:
9b9a1cba7e56d9e5cf73e10998ea83e00a51c502fcb26d70b7ab41503c4f46c8

keyprovider
The keyprovider command is used to specify the key provider that will be used within a network
that is using encryptors that have been configured to run in Transport Independent Mode.
Format: 
keyprovider<CR> View the currently selected key provider type
kdf Set the key provider as KDF
ks Set the key provider as a KMIP server

The key provider cannot be set to KMIP on multi-slot encryptors.

Changing the key provider requires the user to restart the connections to enable immediate change
over the new provider.

Example 1: View current settings

CV1000_A>keyprovider<CR>
Key Provider mode is : Key Derivation Function
CV1000_A>

Example 2: Select KDF as key provider

CV1000_A>keyprovider kdf<CR>

SafeNet Virtualised Encryptor CV1000 152

Command Line Interface (CLI)

Key Provider mode is : Key Derivation Function

CV1000_A>

kscfg
The kscfg CLI command allows the user to enable, disable, and configure KeySecure remote server
configuration, including client authentication if global keys are not being used
Format: 
kscfg<CR> Show KeySecure remote server settings
Add KeySecure remote server entry e.g.
-a <IPv4 or IPv6 addr><tier>
192.168.1.10 1
-e Enable KeySecure
-d Disable KeySecure
-r <idx> Delete KeySecure remote server entry
-c Clear all KeySecure remote server settings
-s <username <pwd> Set KeySecure client authentication

Example:
To connect an encryptor to a single KeySecure server, you need to specify the IP Address of the
server and a tier. An initial tier 1 will be provided with default values for a TCP connection. SafeNet
recommends this as a first step to test connectivity, and then to progress to an SSL connection.

The following commands adds a remote server entry for tier 1, displays the KeySecure settings and
then enables KeySecure on the unit

CV1000_A kscfg –a 192.168.1.10 1 <CR>

CV1000_A kscfg <CR>
KeySecure remote server settings
Index Address Tier
------- ------------ ----
1 192.168.1.10 1
CV1000_A kscfg –e <CR>
KeySecure remote server enabled, config written

kstier
The kstier CLI command allows the user to add, delete and edit KeySecure tier configurations, sup-
porting Load Balancing Groups and Multi-Tier Load Balancing
Format: 
kstier<CR> Show KeySecure tier settings
-a <port> <proto> <conn pool size>
<timeout> <read timeout> <idle Add KeySecure tier entry e.g.: 9000 ssl 300
timeout> <retry interval> [<cer- 30000 30000 600000 600000 6
tificate idx>]
-d <idx> Delete a KeySecure tier entry
-e <idx> <port> <proto> <conn pool
Edit KeySecure tier entry eg: 1 9040 ssl
size> <timeout> <read timeout>
200 20000 20000 500000 500000 6
<idle timeout> <retry interval>

153 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

kstier<CR> Show KeySecure tier settings

[<certificate idx>]
-c Clear all tier settings

Parameters:

port: - the port of the remote KeySecure server. This port will be common to all servers
in the tier.
protocol: - the protocol of the connection to the remote KeySecure server, either TCP
or SSL.
connection pool size: - the maximum number of connections to KeySecure allowed.
connection timeout: - specifies how long we will wait(in milliseconds) for the con-
nection to KeySecure before timing out.
connection read timeout: - specifies how long we will wait trying to read data from
KeySecure before timing out.
connection idle timeout: - specifies how long idle connections will remain open before
being closed.
connection retry interval: - specifies how long we will wait before trying to reconnect to
an uncontactable KeySecure server.
certificate index: - the certificate to use for the connection to KeySecure when the pro-
tocol is SSL

Example:
To add a tier configuration the -a command is used. If the protocol is SSL then a certificate index can
be provided, or if this is left out, the available certificates will be listed so that you can enter the cer-
tificate index.

CV1000_A kstier -a 1234 ssl 300 30000 30000 600000 600000<CR>

N V1 or V2 certificates loaded.

X.509v3 Certificates:
Id  Type      Identifier  Alg Size  Expiry  State    In Use  Signed by
 3  x509 En   92cb2648    RSA 2048
3634  Valid     No     c059db9a  /C=AU/ST=Victoria/L=Melbourne/O=Org/OU=Security/CN=encryp-
tor
 4  x509 En   c9e271a5    RSA 2048 7276  Valid     No     self      /C=AU/CN=keyID1
 5  x509 En   df34d955    RSA 2048 7278  Valid     No     self      /C=AU/CN=keyID2
 6  x509 En   98018d83    RSA 2048
3216  Valid     No     self      /CN=595930804784475049752986231035097958713543161738
 7  x509 En   c059db9a    RSA 2048
2609  Valid     No     self      /C=AU/ST=Victoria/L=Melbourne/O=Senetas/OU=SecurityLic/CN-
=Licensing

Enter certificate index: 6

CV1000_A kstier<CR>
KeySecure tier entries
Index Tier Port Proto Pool Timeout Read Idle Retry Certificate
                      Size Timeout Timeout Interval
---------------------------------------------------------------------

SafeNet Virtualised Encryptor CV1000 154

Command Line Interface (CLI)

  1 1 1234 ssl 300 30000 30000 600000 600000 98018d83

CV1000_A

licence
The licence command is used to configure the license applicable to a virtual encryptor.
Format: 
licence<CR> Displays the current licence

Example: Showing the licence information

CV1000_A>licence

Licence:
HOSTID: 6478860004e49055dacae5444bc09a45576a1645d85a1ea1d06063c56769d7b6
status: 15 day trial active. 12 day(s) remaining

linkspeed
The linkspeed command is used to set the physical interface connection parameters for both Local
and Network ports.
Format: 
linkspeed<CR> Display current link speed
-a <e|d> Enable/disable autonegotiation
-s Set the link speed
-m <e|d> Enable/disable local link monitoring
-f Set Link Loss Forwarding (LLF) action
Enable/disable Tie LLF to connection status (line mode
-c <e|d>
only)

Example: View current settings (1 Gbps encryptor)

CV1000_A>linkspeed
Link parameter
-----------------------
Maximum link capability
Configured link speed
Current link status
Current link status (Network)
Current link status (Local)
Auto Negotiation
Local link monitoring
Optical Link Loss Forwarding
LLF tied to connection(line mode)
Status
-------------------
1Gb/s Full Duplex
100Mb/s Full Duplex
100Mb/s Full Duplex
100Mb/s Full Duplex
100Mb/s Full Duplex
enabled
disabled
disabled
enabled

155 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Example: Disable auto-negotiation (10Mbps, 100Mbps, 1Gbps only)

CV1000_A>linkspeed -a –d
Auto Negotiation disabled

Example: Set maximum link speed to 1Gb/s

CV1000_A>linkspeed -s
Link speed options:
10Mb/s Full Duplex (1)
->100Mb/s Full Duplex (2)
1Gb/s Full Duplex (3)
New link speed >: [2] 3
Link speed set to: 1Gb/s Full Duplex

The local and network ports are usually configured identically since the encryptor is a “bump in the
wire (fibre)” device.

-a flag
Allows auto-negotiation to be enabled or disabled. (not applicable to 100 Gbps units)
Disabling this may be necessary when connecting to Ethernet devices that don’t correctly support
auto-negotiation.

-s flag
Sets the physical connection speed to the specified value.

-m flag
Local link monitoring is a feature that is used to set the unit into global discard mode in the event of
link loss being detected on the local port (for example, the local port cable is unplugged).
Once in global discard mode the encryptor will not pass traffic until an administrator or supervisor
has logged in and changed the global mode back to secure.

-f flag
Link Loss Forwarding (LLF) is used on optical Ethernet links to propagate a loss in received signal
on one port to the transmitter on the opposite port.
LLF is used to ensure that transmission loss can be propagated u and /downstream so that other net-
work equipment can detect the failure and take appropriate action, for example, switching to altern-
ative network paths.
For example, a loss of Rx signal on the Network port will be forwarded to the Local port by turning off
the Tx laser on the local port.
Link loss can be propagated in either a single direction or in both directions.

CV1000_A>linkspeed -f
Optical Link loss forwarding options:
-> disabled (1)
propagate Net->Loc (2)
propagate Loc->Net (3)
propagate Loc<->Net (4)

SafeNet Virtualised Encryptor CV1000 156

Command Line Interface (CLI)

-r flag
Configure forward error correction (FEC) on the local, network, or both of the optical interfaces.

-c flag
In line mode of operation, by tying LLF to connection status, it is also possible to disable the local
port transmitter until the secure connection has been successfully established.
If enabled then the local port Tx laser will not be turned on (indicating link up) until the encryptor has
successfully completed its key negotiation and is ready to securely pass traffic.

logout
The logout command logs the current user out of the console and returns to the login prompt.
Format: 
logout<CR> Logout from the CLI

Example:

CV1000_A>logout
Welcome to CV1000_A Encryptor
Version: 4.0.0
Built: 14-Jul-2010 12:56:48
Build number: 1279076208 C198
LOGIN:

A login requires entry of the user's credentials - ID and password. If a non-administrative user login
fails due to lexical checks, as shown below, then they are locked out. Administrative users are able
to change their password.
The examples that follow are for an administrative user, ‘admin’, and a non-administrative user ‘oper-
ator’.

LOGIN:admin
PASSWORD:**********
Password no longer meets lexical check
Auth password: <8-29 characters>: ***********
Confirm password: <8-29 characters>: ***********
Password expiry: <yyyy-mm-dd|(S)ixty days|(D)isabled>: [0000-00-00]
Is the information correct? (y/n/q) y
Record updated
CV1000_A>

LOGIN:operator
PASSWORD:**********
Password no longer meets lexical check
LOGIN:

157 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

ntpcfg
The ntpcfg command is used to configure the addresses of NTP servers that will be used by the
encryptor to establish its date and time. The validity of the addresses is checked and the presence of
at least one valid address enables the use of an NTP server for the maintenance of the encryptors
time.
Format: 
ntpcfg<CR> Show NTP server connections
-a <IPv4|IPv6
Add NTP server entry.
addr>
-d <idx> Delete NTP server entry.
-c Clear all NTP server settings.
-p Print current NTP status.

Example:

CV1000_A>ntpcfg
NTP server details
Index Address
----- -----------------------------------------
1 192.189.54.17
2 1.1.1.1
3 1.1.1.2
4 ::2
CV1000_A>

overview
The overview command is used to view and modify the encryptors contact details, location inform-
ation, and comments field.
Format: 
community<CR> Show overview
-c <contact> Set the contact details (quoted string)
-l <location> Set the location information (quoted string)
-m <comment> Set the comments (quoted string)

Example 1: Display current overview

CV1000_A>overview

Contact  :
Location :
Comment  :
CV1000_A>

Example 2: Setting contact details

CV1000_A>overview -c "for Support call +1 555 123456"

SafeNet Virtualised Encryptor CV1000 158

Command Line Interface (CLI)

CV1000_A>

To clear an entry specify the required option and an empty string ("").

password
The password command is used to view and modify the user password policy. Enhanced mode can
be enabled to allow the enforcement of AR-25-2.
Format
password<CR> Show current password policy
-r <0-255> Password reuse history size
-o <0|1-240> Password change lockout period
-e [on|off] Enhanced password mode
-m <8-29> maximum length
-u <1-2> Minimum uppercase characters
-l <1-2> Minimum lowercase characters
-n <1-2> Minimum numerical characters
-s <1-2> Minimum special characters

Example 1: View password policy

CV1000_A>password
Password enhanced mode: Disabled
Password lexical check: Enabled
Password reuse history: 255
Password requirements:

1. Length of 8-29 characters

2. At least 1 uppercase alpha character
3. At least 1 lowercase alpha character
4. At least 1 numerical character
5. At least 1 special character

Example 2: Set password parameters

CV1000_A>
CV1000_A>password -u 2
Minimum uppercase characters: 2
CV1000_A>password -l 2
Minimum lowercase characters: 2
CV1000_A>password -n 2
Minimum numerical characters: 2
CV1000_A>password -s 2
Minimum special characters: 2
CV1000_A>password -m 15
Minimum password length: 15
CV1000_A>
CV1000_A>password
Password enhanced mode: Disabled
Password lexical check: Enabled

159 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Password reuse history: 255

Password requirements:

1. Length of 15-29 characters

2. At least 2 uppercase alpha characters
3. At least 2 lowercase alpha characters
4. At least 2 numerical characters
5. At least 2 special characters

CV1000_A>

When the enhanced password mode is turned on, the following are enabled:
l Password expiry
l User lockout if 2 unsuccessful attempts within an hour
l Password lexical checking at logon
l Logging of failed logon attempts
l Disallowing of matching password and UserID
Enhanced mode allows policy to be configured to meet the requirements of AR-25-2. Compliance is
not enforced.
When enhanced password mode is turned off, then default lexical checking is only performed when
user accounts are created.
As a default, lexical checking requires that all user passwords have:
l A minimum of 8 characters
l At least one upper-case alphabetic character
l At least one lower-case alphabetic character
l At least one digit
l At least one special character
These defaults can be changed using the -m, -u, -l, -n, and -s commands.
If lexical checking fails in enhanced mode then administrative users are able to change their pass-
word; all other users are locked out and are not able to access the system until their accounts are re-
enabled by an administrator.
Password history is used to discourage too frequent password reuse. The -r command is used to set
the reuse limit in the range 0 to 255. When set to non-zero a record of previous user passwords is
maintained for each account and when the password is changed the system ensures that old pass-
words are not reused. The reuse size allows fine control over how often user account passwords
may be recycled.
If password reuse is disabled (set to 0) then no checking of user password reuse is enforced.
The password lockout period specifies the number of hours during which only a single change to the
users password is allowed. A value of 0 disables it.

profile
The profile command allows the administrative mode of the user to be set to either the 'standard' or
a 'simplified' mode.
The standard mode provides four roles; 'Administrator', Supervisor', 'Operator' and 'Upgrader',
whereas the simplified mode has two roles; 'Administrator' and 'Operator'.
For multi-slot encryptors the command is valid when in either 'Host' or 'Slot' mode.

SafeNet Virtualised Encryptor CV1000 160

Command Line Interface (CLI)

Format: 
profile <CR> Display current Profile mode status
-f Full/Standard administrative mode
-s Simplified administrative mode

Caution:
Changing this setting will require an erase and reboot.

Examples:

CV1000_A>profile
Profile: Full/Standard
CV1000_A>profile -s
Warning: Changing the profile mode will erase the configuration and reboot this encryptor
Do you wish to proceed ? (y/n) n
Profile mode unchanged

prompt
The prompt command allows the console prompt to be customised to a more meaningful name. (for
example, encryptor location, asset number etc.)
The same prompt is used for all users logged into the CLI. The customised value is stored in non-
volatile memory and is therefore preserved across reboots.
Format: 
prompt name<CR> Set the CLI prompt to name (maximum of 30 characters)

Example:

CV1000_A>prompt Adelaide1
Adelaide1>

rest
The rest command is used to enable or disable RESTful servers which can be used to provide
remote monitoring of encryptors via a web browser.
The RESTful interface access control is controlled via the user console access rights.
Format: 
Rest<CR> View RESTful server configuration settings
-e Enable RESTful server
-d Disable RESTful server
-s Set https server certificate (end user certificate)

Example: configure the server

CV1000_A>rest -s

161 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

No V1 or V2 certificates loaded.

X.509v3 certificates:
Id  Type      Identifier  Alg Size  Expiry  State    In Use  Signed by
3   x509 En   675af1b2    RSA
2048     362  Valid     No     944e5b3e   /C=AU/ST=Victoria/L=Melbourne/O=Org/OU=Security/-
CN=Encryptor
 4  x509 CA   944e5b3e    RSA
2048    1689  Valid     No     Self       /C=AU/O=Organisation/CN=CommonName/UID=149526178-
4

Enter certificate Index or CR for none: 3

CV1000_A>

Verify the selection and then enable the web server access.
CV1000_A>rest

REST server is disabled

REST https server certificate hash: 675af1b2
CV1000_A>rest -e

Enabled RESTful server.

CV1000_A>

The web server should now be operational and this can be verified through an initial HTTP(s)
request

Standard encryption role based access control will require username and password to be provided
for client authentication.

reboot
The reboot command performs a complete reboot of the unit. During the reboot process no traffic
will pass through the encryptor.
Format: 
reboot<CR> Reboot the encryptor

Example: Reboot unit

CV1000_A>reboot
Are you sure you want to reboot the unit ? (y/n)

SafeNet Virtualised Encryptor CV1000 162

Command Line Interface (CLI)

snmpcfg
The snmpcfg command is used to configure the SNMPv3 privacy settings.
Format: 
snmpcfg<CR> Show/Modify current state
-p [on|off] Enable/Disable SNMP privacy
-v [on|off] Enable/Disable SNMPv1
-w x Time window (mins) for USM auth errors (0 = disabled)
-f x Number of USM auth errors before lockout
(if time window enabled)

Example 1: View current SNMP privacy settings

CV1000_A>snmpcfg
SNMP Privacy mode enabled

Example 2: Disable SNMP privacy settings

CV1000_A>snmpcfg -p off
Disable SNMP Privacy selected. Validation...succeeded.
SNMP Privacy Disabled

- If SNMP privacy is enabled then all SNMP commands and responses will be encrypted as well as
authenticated.
- If SNMP privacy is disabled then SNMP commands and responses will be authenticated only.
Privacy can only be disabled if the unit is configured with FIPS mode disabled (because SNMP pri-
vacy is mandatory for FIPS compliance).See "Management systems" on page 51

snmptraps
The snmptraps command is used to add or delete entries in the SNMPv3 trap list.
Format: 
snmptraps<CR> Show SNMPv3 trap server list
-a <IPv4|IPv6addr> Add SNMPv3 trap server entry
   -v <2|3> SNMP trap type (Default is v2)
   -s < SNMPv3 trap type server security model:
       AuthPriv| - authentication and privacy
       AuthNoPriv| - authentication only
       NoAuthNoPriv> - no authentication and no privacy
-e <idx> Enable SNMPv3 trap server entry
-d <idx> Disable SNMPv3 trap server entry
-r <idx> Remove SNMPv3 trap server entry
-p Purge all SNMPv3 trap server entries

163 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

sshcli
The sshcli command is used to enable or disable SSH CLI access.
SSH public keys can be added to a table and the SSH server port can be specified.
Support for RSA keys was removed at version 5.0.2.

Format: 
sshcli <CR> Show SSH public keys
-a <"key string"> Add SSH public key entry (double quote key)
-e Enable remote SSH CLI access
-d Disable remote SSH CLI access
-p Set SSH server port number
-r <idx> Remove SSH public key entry
-c Clear all SSH public key entries

Example:
CV1000_A>sshcli -e
SSH enabled

stats
The stats command lists the statistics for the local and network ports
Format: 
stats<CR> Show Local/Network port statistics
-l Show Local port statistics
-n Show Network port statistics
-r Reset statistics
-u Instantaneous Utilisation Bandwidth
-p Policy Stats

The Reset command, -r, resets the following statistics:

local port statistics

network port statistics
protocol statistics (TIM operational mode)
ethertype statistics (TIM operational mode)
Tx and Rx tunnel/connection statistics

Example: Show all port statistics

CV1000_A>stats
Ethernet Local Port Statistics:
Rx Corrupted Frames = 0
Rx Interframe Gap Errors = 0
Rx Octet Count = 0
Rx Frame Count = 0

SafeNet Virtualised Encryptor CV1000 164

Command Line Interface (CLI)

Rx FCS Errored Frames = 0

Rx PCS Errored Frames = 0
Rx Undersized Frames = 0
Rx Oversized Frames = 0
Rx Discarded Frames = 2
Rx PCS Sync Status = In Sync
Tx Octet Count = 0
Tx Frame Count = 2
Tx FCS Errored Frames = 0

Ethernet Network Port Statistics:

Rx Corrupted Frames = 0
Rx Interframe Gap Errors = 0
Rx Octet Count = 0
Rx Frame Count = 0
Rx FCS Errored Frames = 0
Rx PCS Errored Frames = 0
Rx Undersized Frames = 0
Rx Oversized Frames = 0
Rx Discarded Frames = 0
Rx PCS Sync Status = In Sync
Rx Manage Octet Count = 0
Rx Manage Frame Count = 0
Rx Manage Drop Frames = 0
Tx Octet Count = 71202
Tx Manage Octet Count = 71358
Tx Frame Count = 343
Tx Manage Frame Count = 343
Tx FCS Errored Frames = 0
Rx Shim Octets = 0
Tx Shim Octets = 0
Tx Encrypted Octets = 0
Tx Encrypted Frames = 0
Rx Encrypted Octets = 0
Rx Encrypted Frames = 0
Failed Auth Frames = 0
Replay Error Frames = 0
Skipped Counter Frames = 0
FPGA Resets = 0

CV1000_A>

Example: Show utilisation

CV1000_A> stats -u
Encrypt Utilisation:
Rx Total 100.000%
Rx FCS Errors 1.000%

165 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Rx Discard Policy 9.000%

Rx Dropped Rate Limit 0.000%
Rx Dropped Overflow 0.000%
-
Tx Total 94.000%
Tx Bypass Policy 41.000%
Tx Secure Policy  50.000%
Tx FCS Errors 1.000%
Tx Management 1.000%
Tx Crypto Excess 1.000%
Decrypt Utilisation:
Rx Total 94.000%
Rx FCS Errors 1.000%
Rx Discard Policy 0.000%
Rx Dropped Rate Limit  0.000%
Rx Dropped Overflow    0.000%
Rx Bad Authentication  0.000%
Rx Management          1.000%
Rx Crypto Excess 1.000%
-
Tx Total 91.000%
Rx Bypass Policy 41.000%
Rx Secure Policy 50.000%
Tx FCS Errors          1.000%
CV1000_A>

Example: Show policy statistics

CV1000_A>stats -p
Local Policy Statistics
L2 Encrypted            = 0
L3 Encrypted            = 0
L4 TCP Encrypted        = 0
L4 UDP Encrypted        = 0
Malformed Frames        = 0
Not matching iprule     = 0
Res. Multicast bypass = 0

Network Policy Statistics

L2 Encrypted            = 0
L3 Encrypted            = 0
L4 TCP Encrypted        = 0
L4 UDP Encrypted        = 0
Malformed Frames        = 0
KID out of range        = 0
Unknown KID             = 0
Not matching iprule     = 0
Res. Multicast bypass   = 0
CV1000_A>

SafeNet Virtualised Encryptor CV1000 166

Command Line Interface (CLI)

syslog
The syslog command is used to configure syslog server entries for the encryptor. Up to 10 distinct
servers can be configured using the IPv4 or IPv6 address notation. DNS lookup is not supported.
Format: 
syslog<CR> Show syslog server connections
-a <IPv4|Ipv6addr> Add syslog server entry
-d <idx> Delete syslog server entry
-p Purge all syslog server entries

Examples:
CV1000_A> syslog -a fc0f:1234::1
Restarting system log daemon: syslogd.

CV1000_A>syslog
NB: Event messages are syslog facility Local5.*
Audit messages are syslog facility Local4.*
Index Address
----- -----------------------------------------
1 10.65.65.118
2 fc0f:1234::1
CV1000_A>

IPv4 or IPv6 are automatically checked. Invalid address entries are rejected.
CV1000_A>syslog -a 0.0.0.0
Invalid IP Address - 0.0.0.0
CV1000_A>syslog -a ::
Invalid IP Address - ::
CV1000_A>syslog -a notanaddress
Invalid IP address. Require standard dot notation IPv4 or IPv6 address.
CV1000_A>

tacacs
The tacacs command allows TACACS+ server connections to be defined and managed.
Entries can be added for IPv4 and/or IPv6 servers.
Format: 
tacacs<CR> Show TACACS+ server connections.
-a <IPv4 or IPv6 addr[:port]> Add TACACS+ server entry.
<timeout> <key> e.g. IPv4 a.b.c.d:port / IPv6 [::}]:port
-e Enable TACACS+
-d Disable TACACS+
Change password for TACACS+
-p
account
-r <idx> Remove TACACS+ server entry.
-c Clear all TACACS+ server settings.
-b <on|off> Broadcast audit notifications to all

167 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

tacacs<CR> Show TACACS+ server connections.

servers.
Set SNMPv3 USM TACACS+ user
-s <password>
password
NB: This is not your user password ( 
use -p )

Example:

CV1000_A>tacacs

timezone
The timezone command is used to set the encryptor's timezone to that of its physical location. The
command was introduced in version 2.4.0.
 Format:
timezone<CR> List all timezones
-s Set the time zone

Example:
timezone -s
Please select region >: 7
Timezone options for Australia:
(1) Lord Howe Island
(2) Tasmania - most locations
(3) Tasmania - King Island
(4) Victoria
(5) New South Wales - most locations
(6) New South Wales - Yancowinna
(7) Queensland - most locations
(8) Queensland - Holiday Islands
(9) South Australia
(10) Northern Territory
(11) Western Australia - most locations
(12) Western Australia - Eucla area
Please select timezone >: 4
Selected timezone information:
Country name: Australia
Timezone name: Melbourne
Timezone comments : Victoria
Offset to UTC: +10.00
Do you wish to change to new timezone? (y/n)

In some cases a region only has a single country (e.g. Australia, Antarctica, etc.) and step 2 is
skipped. In many cases a country only has a single timezone and step 3 is skipped. When a

SafeNet Virtualised Encryptor CV1000 168

Command Line Interface (CLI)

timezone is accepted the system timezone files (timezone and localtime) are set and the time-
dependant services are restarted (syslog and ntp). The user can exit the command by pressing
Enter at any time.
The special region Etc allows the user to set an offset from UTC or to set the timezone back to UTC
or GMT. All of the timezones in this region are derived from the encryptor. The offsets in the timezone
names in the Etc region are the opposite of the offset that will be set. for example, GMT+10 will actu-
ally set an offset to GMT of -10 hours.

Timezone options for Etc:

(1) GMT (19) GMT-12
(2) GMT+0 (20) GMT-13
(3) GMT+1 (21) GMT-14
(4) GMT+10 (22) GMT-2
(5) GMT+11 (23) GMT-3
(6) GMT+12 (24) GMT-4
(7) GMT+2 (25) GMT-5
(8) GMT+3 (26) GMT-6
(9) GMT+4 (27) GMT-7
(10) GMT+5 (28) GMT-8
(11) GMT+6 (29) GMT-9
(12) GMT+7 (30) GMT0
(13) GMT+8 (31) Greenwich
(14) GMT+9 (32) UCT
(15) GMT-0 (33) UTC
(16) GMT-1 (34) Universal
(17) GMT-10 (35) Zulu
(18) GMT-11

When you select a timezone, information for that timezone is displayed including the general offset
to UTC (which does not factor in daylight saving). If this timezone is accepted then the real offset
from UTC (including daylight saving adjustment) is displayed along with UTC and local times and
timezone name.

transec
The transec command is used to set enable or disable TRANSEC framing and set the parameters
required to generate transport frames.
Format: 
transec<CR> Display TRANSEC mode status
-a <dst> <src> [header] Set header information (hex)
-r <rate> Set rate (frames/sec)
-b <rate> Set rate (bits/sec)
-c <rate> Set rate (percentage)
-e enable TRANSEC mode
-d Disable TRANSEC mode
Display TRANSEC configuration inform-
-p
ation

169 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

transec<CR> Display TRANSEC mode status

-l <length> Set frame length (bytes)
-t <ETHERTYPE> Set frame ethertype (hex)

Example: View transec status

CV1000_A>transec
Transec mode is disabled

Example: View transec status

CV1000_A>transec -e
Warning this command will enable TRANSEC mode
and reboot the unit!
do you wish to proceed ? (y/n) y
TRANSEC mode enabled
Rebooting . . .

When configuring the maximum throughput of the link an allowance should be made for the client
traffic and the encryptor management traffic.

upgrade
The upgrade command is used to initiate a firmware upgrade using an image supplied via a USB
memory stick..
Format: 
upgrade<CR> Initiate the upgrade

The command provides an alternative means of installing firmware on encryptors that do not have a
front panel keypad.
Prior to issuing the command the user must log in to the encryptor using an 'admin' account.

usb
The usb command is used to prevent or allow access to the encryptor front panel USB interface via
a logical locking mechanism.
Format: 
usb<CR> Display current USB port status
[lock|unlock] Enable or disable the USB port

Example: Display current status

CV1000_A>usb
USB port is unlocked

SafeNet Virtualised Encryptor CV1000 170

Command Line Interface (CLI)

If the port is locked then the encryptor will not respond to any USB device that is plugged in, includ-
ing memory sticks containing a valid firmware upgrade.

users
The users command allows the table of authorized system users to be viewed and edited.
Format: 
users<CR> List the current user tables
-a Add a user
-e <INDEX> Edit user INDEX
-n Show the number of users
-d <INDEX> Delete user INDEX

Example 1: Display current entries:

CV1000_A>users
Number of users in table is 1
Index UserId Active Level Console Snmp
----- ------ ------ ----- ------- ----
1 admin Yes Administrator Yes Yes
Example 2: Add a new user
CV1000_A>users -a
User id: <3-10 characters>: [] glen
User name: <max 30 characters>: [] simmons
Status: <(A)ctive | (I)nactive>: [Active]
Level: <(A)dmin | (S)uper | (O)perator | (U)pgrader >: [Operator]
Console access: <(E)nabled | (D)isabled>: [Enabled]
SNMP access: <(E)nabled | (D)isabled>: [Enabled]
Auth password: <8-29 characters>: **********
Confirm password: <8-29 characters>: **********
Privacy password: <8-29 characters>: **********
Confirm password: <8-29 characters>: **********
Password expiry: <yyyy-mm-dd | (S)ixty days | (D)isabled>: [0000-00-00]
Is the information correct? (y/n/q) y
New record added - index 3

Example 2: Delete a user

CV1000_A>users -d 2
UserId Active Level Console Snmp
------ ------ ----- ------- ----
Fred Yes Operator Yes Yes
Are you sure you want to delete entry ? (y/n) y
Record deleted

171 SafeNet Virtualised Encryptor CV1000

 Command Line Interface (CLI)

Only an Administrator can add new accounts or make changes to existing accounts (an unau-
thorised user is therefore unable to change his or her own password).
When editing or creating a new user the command prompts for each piece of information required, if
a default value is offered the Administrator may accept it by pressing <enter>.
The expiry date can be left as [0000-00-00], that is, inactive, or set to any valid date that is at least 2
days in the future.
User authorisation works in conjunction with the login process in that it provides the required pass-
words and specifies the expiry date.

version
The version command displays the encryptor's software library and version numbers as well as the
software build date and time.
Format: 
version<CR> Display version information

Example: Display version information

CV1000_A>version
Software:
Version : 2.7.1
Build Number : 1283747687
Build Date : 06-Sep-2017
Build Time : 04:34:47
Library
Build ID: D753

SafeNet Virtualised Encryptor CV1000 172

Glossary

Glossary

10GbE
10 Gbps Ethernet

8B/10B
Data encoding scheme that is designed to reduce noise levels and hence error rates

AAL5
ATM Adaptation Layer

ACK
An abbreviation for the acknowledgement of a message or state

Add-drop
Capability of a device to insert and/or extract messages from a communications chan-
nel

AES
Advanced Encryption Standard - an algorithm that encrypts and decryptes data using
a 128 or 256-bit key

AKN
Automated Key Distribution

ANZ
Abbreviation for Australia and New Zealand geography

AR-25
American Army password standard

ARP
Address Resolution Protocol - an Ethernet frame type that resolves an IP address into
a MAC address

AToM
Any Protocol over MPLS - a Cisco protocol that allows ATM and Ethernet to be trans-
ported over a layer 3 network

Authentication
Process of verifying a user's identity

173 SafeNet Virtualised Encryptor CV1000

 Glossary

BERP
Broadcast Encryption Resolution Protocol

BLACK
Refers to the network port of the encryptor where traffic is encrypted

BPDU
Bridge Protocol Data Unit - defines attributes of a switch

Bump in the wire

Bump in the wire refers both to the fact that a correctly configured encryptor has no
impact on the logical or physical operation of the network. You should be able to
bypass the units without disrupting operations.

CAT5
Standard cabling system used for Ethernet and other protocols

CC
Common Criteria - a formal, internationally recognised security accreditation

CDP
Cisco Discovery Protocol

CFB
Cipher Feedback mode of encryption

CGMP
Computer Graphics Metafile Protocol

CI
Connection Index - index into the Connection Action Table (CAT)

CIDR
Classless Inter-Domain Routing - an IP addressing scheme that replaces the older
system based on classes A, B and C.

CLI
Command Line Interface - an interface that can be accessed via a serial link to allow
configuration and/or monitoring of an encryptor

Control plane
The domain used by network traffic that is used to pass control information between
communications devices

COTS
Commercial Off the Shelf - refers to readily available commercial solutions

SafeNet Virtualised Encryptor CV1000 174

Glossary

CRM
Customer Relationship Management - a system designed to maintain details of cus-
tomer interactions and status.

Data plane
The domain used by network traffic to pass the user payload across the network

DCC
Direct client-client protocol

DEK
Data Encryption Key - the key used by an encryptor to encrypt the data that is to be
secured. Sometimes referred to as a 'Session' key.

DES
Data Encryption Standard - a U.S. standard that predates AES

DHCP
Dynamic Host Control Protocol - a protocol used by a host to set a units IP address

DiffServ
Differential services Architecture - aims to provide QoS services to applications

DPDK
Data Plane Development Kit - an Intel extension that provides improved performance

DSCP
(Differentiated Services Code Point - a value used to establish the priority of Ip frames

DSL
Digital Subscriber Line

DTP
Dynamic Trunking Protocol - Cisco layer 2 metadata protocol

DWDM
Dense Wavelength Division Multiplexing - similar to DWN, only using less separation
between channels

ECDH
An anonymous key agreement protocol that allows encryptors that have an elliptic
curve public-private key pair to establish a shared secret over an insecure network.

ELLF
Electrical Link Loss Forwarding

EOF
End of Frame - a reserved code that defines the end of certain protocol frames

175 SafeNet Virtualised Encryptor CV1000

 Glossary

EPL
Evaluated Products List - lists products that have been certified by a government body

ERP
Encryption Resolution Protocol - protocol for encryptor discovery/configuration

ESP
Encapsulated Security Payload

FCS
Frame checksum - added to the encrypted frame

FEC
Forward Error Correction - A mechanism used to detect and correct transmission
errors that may occur over an optical link.

FIPS
A security certification compliance accreditation

FollowCI
Follow Connection Identifier - specifies that the policy to be followed is the one spe-
cified by the connection table index

FPGA
Field Programmable Gate Array - high speed hardware used to implement crypto
engine

GFP
Generic Framing Protocol

GTS
A Cisco term for Generic Traffic Shaping, a rate limiting method

HSE
An abbreviation for High Speed Encryptor - usually refers to Ethernet models

ICMP
Internet Control Message Protocol - a core Internet protocol typically used to send
error messages

IDS
Intrusion Detection System - usually a network appliance

SafeNet Virtualised Encryptor CV1000 176

Glossary

IEC13
Standard for power plugs and cords

IFG
Ethernet Inter-frame Gap - the idle time between frames, measured in bit times

IGMP
Internet Group Management Protocol - a core Internet protocol used by IP hosts to
manage their dynamic multicast group membership

Inband management
Management of a remote encryptor using the local encryptor as a gateway to access
the required unit via the network being encrypted

IP
Internet Protocol - the layer 3 protocol used on the Internet

IPS
Intrusion Prevention System - usually a network appliance [cf. IDS]

IPv4
Version 4 of the Internet protocol - this is the most commonly used communications
protocol despite the fact that IPv6 is expected to replace it

IPv6
Version 6 of the Internet protocol - this is emerging/preferred Internet protocol

ITU
International Telecommunication Union - the body that is responsible for the
coordinaiton of internaitonal standards

KDF
Key Derivation Function - A NIST approved function that provides an encryption key
based on a seed and the encryptors random number generator

KDK
Key Derivation Key - An encryption key supplied by a Key Derivation Function

KEK
Key Encryption Key - a key used by the encryptor to encrypt a new Data Encryption
Key (DEK) so that it can be securely exchanged with a peer. Sometimes referred to as
a 'Master' key.

KME
Key Management Entity - a device that provides encrption keys. A QKD unit is a KME

KMIP
Key Management Interoperability Protocol

177 SafeNet Virtualised Encryptor CV1000

 Glossary

KVM
Kernel Virtual Machine

L2TP
Layer 2 Tunnel Protocol - see AToM

LAN
Local Area Network

LIS
Logical IP Subnet

LLC
Logical Link Control

LLDP
Link Layer Discovery protocol

LLF
Link Loss Fowarding - when enabled the state of the Local port is fowarded to the Net-
work port and vice versa

Local Encryptor
The encryptor that is directly managed via the encryptor's Ethernet port

LPM
Key Longest Prefix Match - An algorithm used to select the entry in a routing table that
is the 'best match' to a specified address. Used within TIM policy IP rules.

LPS
Limited Power Source - a power supply that limits its output current and power

MAC
Media Access Control - Layer 2 of the OSI model

MAC-C
MAC Control Frames - typically PAUSE frames for flow control

MAC address
Media Access Control - an Ethernet address

MAN
Metropolitan Area Network

MD5
Message Digest 5 - a Hash algorithm

SafeNet Virtualised Encryptor CV1000 178

Glossary

MKN
Manual Key Distribution

MPLS
Multiprotocol Label Switching - a technique to label routed packets to improve effi-
ciency

MTU
Maximum Transmission Unit - the maximum number of characters allowed in a pro-
tocol

NAK
an abbreviation for the unacknowleged state of a message or alarm

NAT
Network Address Translation - a method of remapping one IP address space into
another

NDP
Network Discovery Protocol - IPv6 specific

NFV
Network Function Virtualization - a network architecture concept that virtualizes entire
classes of network functions

NIC
Network Interface Card

NIST
National Institute of Standards and Technology - a U.S. Department of Commerce
agency that oversees security standards

NLB
Microsoft Network Load Balancing protocol

NTU
Network Termination Unit - physical terminating device

OID
Key Object Identifier - A unique identifier for a managed object within the Management
Information Base (MIB). Available within CM7 by right clicking on a control, or listed
within the MIB files.

OLLF
Optical Link Loss Forwarding

179 SafeNet Virtualised Encryptor CV1000

 Glossary

OpenVPN
OpenVPN - an open source software application that implements virtual private net-
work (VPN) technology

OSI
Open Systems Interconnect

OSPF
Open Shortest Path First - a protocol used to arbitrate between alternate routes

OTN
Optical Transport network - an ITU standard (G.709)

OUI
Organizationally Unique Identifier - part of the Ethernet protocol that allows vendor
defined elements

P12
A .P12 file contains a digital certificate including its private key

PABX
Private Automatic Branch Exchange - an automatic telephone exchange supported
within an organisation.

PCS
Physical Coding Sublayer - helps to define physical layer specifications( speed and
Duplex modes, etc).

PDU
Protocol Data Unit

PHY
Physical layer of a Network - relates to communications interfaces and standards

PVC
Permanent Virtual Circuit - ATM

qcow2
Generic virtual machine disk image

QKD
Quantum Key Distribution - provision for the distribution of encryption keys using
quantum mechanics

QoS
Quality of Service - method of ensuring delivery of specific traffic

SafeNet Virtualised Encryptor CV1000 180

Glossary

RED
Refers to the Local interface where traffic passes in the clear

Remote Encryptor
An encryptor that is logically connected to the network port on the local encryptor
through the data network

RMA
Return Merchandise Authorization process

RS232
Serial protocol used on console port

RSA
Public Key encryption algorithm

RTC
Real Time Clock - hardware device within the encryptor that maintains the time of day

SA
Security Association - defines the security of an IPSec tunnel

SAN
Storage Area Network

SAP
Service Access Point

SDH
Synchronous Digital Hierarchy

SFP
Small Form Pluggable transceiver for copper or optical connectivity - less than 10Gbps

SHA1
Secure Hashing Algorithm 1 - a cryptographic function that produces a 160-bit (20
byte) hash value

SKE
Secure Key Exchange - an ATM forum key exchange mechanism on which encryptor
key exchange is based

SNAP
Sub Network Attachment Point

SNMP
Simple Network Management Protocol - V3 is used for encryptor management. V1 can
be optionally used for encrytor monitoring.

181 SafeNet Virtualised Encryptor CV1000

 Glossary

SOH
Reserved code used to identify the start of a communications frame

SPE
Synchronous Payload Envelope - a SONET/SDH envelope

SPMA
Slow Protocol Multicast Address - (Ethernet OAM Protocol IEEE 802.3ah)

SSH
Secure Socket layer - layer 4 of the ISO model

SSL
Secure Socket layer - encryption applied at the Transport layer. Deprecated, TLS
replaces it.

SSTP
Simple Symmetric Transmission Protocol

STP
Spanning Tree Protocol - a protocol used to perform failover configuration

SVC
Switched Virtual Circuit - ATM

TCI
Tag Control Information specifies VLAN priority

TCP
Transmission Control Protocol - a core member of the Internet Protocol Suite (TCP is
L4 in the ISO model and L3 in the TCP/IP model)

TDM
Time Division Multiplexing - a means of transmitting a number of different sigals over
one link by allocating each to a time-slot within the frame

TIM
Transport Independent Mode - an encryptor mode that allows similtaneous encryption
at layers 2, 3 and 4

TKAM
Tunnel Keep Alive Monitoring - a protocol which when enabled monitors failover within
an Ethernet network

TLS
Transport Layer Security - a cryptographic protocol that provides communications
security over a computer network

TOS
Type of Service - Field in IPv4 header (see Diffserv)

SafeNet Virtualised Encryptor CV1000 182

Glossary

TPID
Tag Protocol Identifier - identifies VLAN Protocol

UDP
User Datagram Protocol - a core member of the Internet Protocol Suite (UDP is con-
nectionless and is L4 in the ISO model and L3 in the TCP/IP model)

UPS
Uninterruptable Power Supply

USB
Universal Serial Bus

VCAT
Virtual Connection Table

VCC
Virtual Circuit Connection - defines the end to end connection between two access
points

VCI
Virtual Circuit Identifier

VCSEL
low-cost vertical-cavity surface-emitting lasers

VLAN
Virtual LAN - a logically separate LAN within a Layer 2 Ethernet network

vmdk
VMWare virtual machine disk image

VNC
Virtual Network Computing

VPC
Virtual Path Connection (ATM)

VPI
Virtual Path Identifier (ATM)

VPLS
Virtual Private LAN Service

VPN
Virtual Private Network - a means of logically separating clients on a shared network

183 SafeNet Virtualised Encryptor CV1000

 Glossary

VTP
VLAN Trunking Protocol - a Cisco layer 2 metadata protocol

WAN
Wide Area Network

WDM
Wavelength Division Multiplexing - a means of sending a number of connections on a
single fibre by transmitting at different wavelengths

XFP
10 Gbps capable Small Form Pluggable transceiver for optical links

SafeNet Virtualised Encryptor CV1000 184

 Index

Algorithm(s)
Index defined 8
AR-25 108
/
standard 109
/KVM 28
AR-25-2 108
8
AR-25 password policy 86
802.3ae 12
AToM 14
A Attack Profile 5
Access Attack(s)
administrator 108 copper and fibre tapping 5
Access locking 84 profile 5
Account management 107 sources 4
Account(s) Audit 104
default 107 CLI command 137
defining 107 Log 122
maximun number 107 Messages 123
accredited 3 Authentication 108
Action authNoPriv 52-53
defined 8 authPriv 52-53
Actions Auto-population 49
Broadcast 99 Auto Discovery 138
Multicast 99 CLI command 138
Unicast 99 Auto Populate 49
Activation 69 CLI command 139
CLI command 136 Auto Population 139
Local 137 autonegotiation 156
Non Activated Password 111 B
using CM6 34
banner - CLI command 139
Activation using CM7 37
Build
Activation using the CLI 37
Date and time 84
Address
Number 84
front panel IP 88
of software 84
Administrator 6, 87, 107
Bump-in-the-wire 9
role 160
defined 9
Alarm(s) 103, 120
Bypass
acknowledging 120
action/mode 16
CLI command 137
Ethertype processing 99
indicator 120
IPMulticast 96
messages 129
Reserved Multicast 98

CV1000 185
Index

Bypass Reserved Multicast ftpcfg 142

setting via CM7 98 global 143
C help 136, 143

CA/Key Management history 144

Certificate Authorty creation 111 hostname 145

KDK key creation 111 initcfg 145

CAT 15 inventory 147

CC - see Common Criteria 9 ip 148

CCTV 4 iprules 150

Certificates kdf 151

hash algorithm 112 kscfg 153

CIDR 88 kscfg_tier 153

Cipher Feedback Mode licence 155

explained 17 linkspeed 155

CLI 9 logout 157

Setting Post-Login 87 ntpcfg 158

setting Pre-Login 87 password 159

setting Prompt 87 profile 160

Closed Circuit TV 4 prompt 161

cloud-init 45 reboot 162

CM.ini file 110 rest 161

CM7 snmpcfg 163

enable/disable entropy 84 snmptraps 163

installing 114 sshcli 164

System requirments 114 stats 164

Windows installation 114 syslog 167

Cog icon 110 tacacs 167

Command Line Interface 9 timezone 168

activate 136 transec 169

alarm 137 upgrade 170

audit 137 usb 170

autodisco 138 users 171

autopop 139 version 172

banner 139 Comment 83

community 140, 158 Commissioning

con 140 Activation with CM7 37

date 140, 152 Activation with the CLI 37

erase 141 Process description 34

event 142 Common Criteria

defined 9

186 CV1000
 Index

community - CLI command 140, 158 CLI command 84, 140

Community string 109 of Software build 84
con - CLI command 140 setting from CM7 36
Configuration setting from CMv7 | Management.CM7_Cndx |
[65] 84-85
listing 50
source of 36
server 63
DEK
servers (defined) 68
defined 9
TIM mode via CLI 49
egress 45
configuration database 63
DHCP 34
Configuration server
Diagnostic(s) 101
databases 117
Diagnostics
Configuration settings 117
Local interface 103
Connection Action Table 15
Management 102
Connection(s) 32
Network interface 103
defined 9
Start up tests 110
rule 15
Diffie-Hellman 108
Console 87
security level 60
Inactivity lockout 109
Discard
Management 87
action/mode 16
Contact details 83
Discover(y)
Control plane 15
timeout 111
Counter mode
Discover(y) (CMv7) 111
explained 17
Display Errors 111
Craft interface 6
Display Reports 111
credentials 69
Document i
Credentials
default 34 E

Crypto E3

CLI command 145 protocol 9

CTR Eavesdropping

encryption mode 17 protection against 8

Current User Path 111 ECB 19

CV1000 encryption mode 19

requirements 30 Egress

D DEK 45
Encryption 1
Data-in-transit 12
interfaces 100
Data insertion/manipulation 8
modes 16
Date and time
overview 27
'Not Before' 36
platforms 27

CV1000 187
Index

policy 15 F
Process 16 FCS
Encryptor List Refresh Rate(sec) 111 errored frames 32
Encryptor(s) Ethernet 40
Comment field 83 FCS errors 103
Commissioning 34 Feature 37
Contact details 83 FEC 157
data flow in 15 Field Programmable Gate Arrays 16
Description field 83 FIPS
Firmware level 83 140-2
Hardware version 83 defined 9
Interface configuration 101 enable/disable from CMv7 84
Name of 83 mode 108
Restart from CMv7 84 Firmware
Serial number 83 feature matrix 37
Symbol 8 level 83
Vendor field 83 Firware
Entropy version 83
enale/disable 84 FPGA 16
erase - CLI command 141 Frame formats
Errors TIM 48
Local and Network ports 103 Fraud 3
eth0, eth1, eth2 NICs 28 Front panel 82
Ethernet keypad eanable/disable 84
prtocol considerations 11 USB enable/disable 84
Ethernet encryption 40 FTP Servers 90
connection rule 16 Ftpcfg
encryption policy 40 CLI command 142
Policy 41 FTPS 90
Ethertype(s) 99 G
defined actions 99 Gateway 6
unknown action 99 GCM
Event 104 encryption mode 17
CLI command 142 gcow2 VM image 28
Logs 121 Global 96
Event log CLI command 143
Messages 128 GMT 169
Exiting from CM7 61
H
Explicit Login 111
Hackers 4
Export Config 50

188 CV1000
 Index

Hardware Iprules 45
details 84 iprules - CLI command 150
Hash algorithm 112 IPS 4
Help ISO model 11
CLI 136 K
CLI command 143 kdf
hexadecimal 136 CLI command 151
Hexadecimal KDF 96-97
0xhhhh form 136 KDF - key derivation function 42
Hhhhh form 136 KDK
History current key 76
CLI command 144 Install time 75
I keys 113
ICMP next key 76
statistics 31 KDK - Key Derivation Key 151
Icons KDK file creation 114
Cog 110 KDK Key distribution 75
IDS 4 KEK
IGMP/MLD defined 9
Processing 96 Key Derivation Function 42, 97
inband_vlan 88 Key derivation key 151
initcfg - CLI command 145 Key Provider model 42
Install UTC Time 75 Key Server Provider 44
Installing CM7 114 Key servers 42
Intellectual property 3 Key(s) 9
Interface defined 9
RESTful 56 Keyprovider
interface(s) CLI command 152
management, defined 9 Keysecure
Interface(s) configuring with CM7 90
network, defined 9 KeySecure
Inventory adding servers 91
CLI command 147 KeySecure key provider 44
IP KMIP 96
CLI command 148 with Auto population 49
IP addresses KMIP key server 42
setting from CMv7 35 kscfg
setting from the CLI 34 CLI command 153
IP Rules 99

CV1000 189
Index

kstier overview 7
CLI command 153 responsibility 3
L Message(s)

Lexical diversity Alarm 129

checking 108 Audit 123

Licence SNMP Trap 132

CLI command 155 System 128

Licensing screen 71 MIB 51

Link Loss Forwarding Mode(s)

Alarm message 130 defined 9

Link status 101 Module details 84

linkspeed - CLI command 155 Monitoring

List configuration 50 Alarms 57

Local activation 137 Moving CM7 to a new PC 119

Local interface MPLS 13

Diagnostics 103 Multicast 138

statistics 32 N
status 101 Name 83
Locking NAT
front panel 84 encrypting Layer 3 traffic 100
USB 84 Network 87
Login encryption overview 8
explicit 111 interface defined 9
Logout Management addresses 87
CLI command 157 reliability 7
Logs 120 topologies 6
Audit 122 weakness 3
Event 121 Network interface
Longest Prefix Match 100 Diagnostics 103
M statistics 32

MAC address 31 status 101

Maintainer 6, 87, 107 Network View refresh Rate(sec) 111

Manage 79 NFV

Management functionality 52

gateway address 88 NFV See Network Function Virtualization 28

interface definition 9 NIST 42

interfaces 31 Non Activated Password 111

IP address 88 NTP 44

network prefix 88 Server 36, 84-85

190 CV1000
 Index

Server count 120 Protocol 97

ntpcfg - CLI command 158 Ethernet considerations 11
NTU Protocol(s)
see Network Termination Unit 20 defined 9
O Public Path 111

OID 56 PuTTY key generator 92

OpenView 6 PuTTYgen 92

Operational Mode 96 Q
Operator 6, 87, 107 QEMU 28
Overview 82 QoS 12

P R
Password Real Time Clock 36
lockout period 160 Reboot
Non Activated 111 CLI command 162
Password(s) Redis 69
characters 86 Refresh Rate
CLI command 159 Network View 111
Enhanced 86 Refrsh rate
lexical diversity 108 Encryptor List 111
Policy Parameters 86 Release matrix 37
Passwords 7 Reliability of networks 7
allowed characters 108 Responsibility
enhanced mode 108 for security 6
PHY 12 rest - CLI command 161
PMD 11 RESTful interface 56
Policy 96 Access with CM7 56
defined 9 examples 57
Ethernet encryption 41 RFC1035 83
Layer 3/4 IP Rules 99 Risk 3-4
security 9 analysis 4
TIM 45 Roles
Port speed Administrator 107
auto negotiation 101 Maintainer 107
Post-Login 87 Operator 107
PPRNG psuodorandom number generator 43 Supervisor 107
Pre-Login 87 Routing 55
Privacy Act 1988 3 RS232 interface 6
profile - CLI command 160 Rules 9
prompt - CLI command 83, 161

CV1000 191
Index

S enabling 109
Secure enabling with CMv7 89
action/mode 16 SNMPv2
Secure Shell (SSH) 92 trap messages 122
Secure Sockets Layer 12 SNMPv3 53
Secure Sockets Layer (SSL) 12 Software
Security Build 84
overview 15 Description 84
practices 6 Source 36
responsibility for 6 SSH 92
Security levels 60 key pair creation 92

Sender ID 45 sshcli - CLI command 164

Session 9 SSL 12
Session Timeout 111 Station ID 111
Setting Statistics
Security levels 60 management port 102
Settings stats - CLI command 164
hiding if not required 111 STP
Settings file 110 in networks 14
SFTP 90 Supervisor 6, 87, 107
SNMP 89, 122 Syslog
cancelling requests 52 CLI command 167
configuring traps 6 configuration using CMv7 89
integration 7 Server IP Address 86, 90
Local encryptor management 53 System

role of 6 details 84

Security levels 60 details display 84

SNMPv1 109 System requirements
trap configuration 89 CM7 114
Trap messages 132 T
Trap Preferences 122 T1 9
traps 6 tacacs - CLI command 167
SNMP traps TACACS+ 91
changing listener port 111 terminology 8
enabling CMv7 to receive 111 Terrorism 3
snmpcfg - CLI command 163 Ticket Request Password 111
snmptraps - CLI command 163 Tile
SNMPv1 management windows 111
Community String 89

192 CV1000
 Index

TIM SNMP access 87

configuration via CLI 49 UTC 169
frame formats 48 Utilization 83
key synchronization 47 V
policy 45 Vendor field 83
shim formats 47 Version
TIM mode CLI command 172
KDK distribution 75 hardware 83
KDK generation 113 virtualised 3, 5-6, 9, 12-13, 30, 53
Time Zone 85 VM
Time zones 36 clone operation 28
Timezone VM - virtual machine 28
CLI command 168 vmdk 28
Tivoli 6 VPLS 13
Topologies 9 inband management 88
transec VPN 13
CLI command 169 capability confusion 13
Transport Layer Security (TLS) 12 VPWS 13
Traps W
enabling 122
Warnings
SNMP 6
enabling display 111
Tunnels
Windows
defined 10
Refresh rate 111
U
X
UDP 31
XAUI 12
management statistics 31
upgrade - CLI command 170
Upgrade screen 105
usb - CLI command 170
User account
details 86
User(s) 86
access 109
Account details 86
account management 107
CLI command 171
console access 87
logout 136
Name (short and long) 86

CV1000 193
194 CV1000