Advantages of the L2 Box at a glance
High-performance encryption with data throughput of up to 100 GBit/s.
An encrypted system platform with smart card technology.
The boxes can be integrated into existing network infrastructures without modification and allow virtually maintenance-free operation.
The SINA L2 Box is approved in various configurations from VS-NfD up to and including SECRET, NATO SECRET as well as SECRET UE/EU SECRET.
The SINA L2 Box S can be used flexibly in the different variants. With a data throughput of up to 100 GBit/s, the solution is particularly impressive in the data center coupling scenario thanks to its strong encryption performance when sending large volumes of data while at the same time taking into account very high security requirements for VS-NfD.
The SINA L2 Box H is an Ethernet encryption device for national and international high-security networks with BSI approval up to and including SECRET.
Digital data transmission
With advancing digitization and the automation of business processes, the bandwidth requirements for digital data transmission are constantly increasing. Particularly in data centers and cloud-based applications, requirements are rapidly rising into the 100 Gbit/s range.
In the environment of classified information, these bandwidths can often only be covered by several systems deployed in parallel - the SINA L2 Box S, on the other hand, can achieve this high encryption performance with a single system in a VS-NfD-compliant manner. This saves space, energy and maintenance costs.
Data center connectivity
With the high encryption performance of the SINA L2 Box S, data centers can be efficiently coupled via fiber optic cables. This is particularly advantageous in the environment of high-availability data center clusters.
In this way, VS-NfD-compliant point-to-point tunnel connections can be set up at network level 2 between two or even several data centers (ring topology), via which the applications in and also between the data centers can communicate securely at layer 2 and layer 3 level.
The SINA L2 Box represents a highly secure firewall function at the access point to the data center, as only cryptographically authenticated packets are allowed through and invalid packets are immediately discarded on a hardware basis.
SINA – Secure Inter-Network Architecture
SINA was developed as a holistic security system that protects entire digital infrastructures. At its core, perfectly matched network components and clients ensure effective encryption and separation of differently classified data - locally and when transferred over the internet.
SINA is used worldwide by governments, critical infrastructures and in industry and is the leading security architecture in the Federal Republic of Germany with over 170,000 installed systems.
SINA Management centrally manages and configures all users and components of the SINA product portfolio. The networks to be protected are set up, configured and administered in a structured manner. With its graphical user interface, SINA Management enables the simple configuration of security relationships and access authorizations between SINA components and networks.
This is how SINA Management works: Configuration data, such as IP address configurations or routing information of the SINA components, is written to the SINA ID Token - a trusted and protected storage medium (smartcard, security token or USB token with integrated smartcard). The configuration data is then securely stored on the SINA ID token and made available to the SINA components. In the process, SINA Management generates and manages the keys and certificates required for secure operation of the components and also writes them to the storage media. SINA Management is used to manage infrastructures with up to several thousand SINA devices.
Post Quantum Cryptography
For the future era of quantum computing, it is necessary to develop encryption methods that will still be secure (post-quantum cryptography). This is because current asymmetric methods do not provide sufficient protection against attacks by quantum computers. In contrast, the presumed impact on symmetric primitives is less severe.
The SINA L2 Box S already follows the BSI's recommendation for action on "migration to post-quantum cryptography". The SINA L2 Box S uses a pre-distributed symmetric long-term key for regular key derivation, which is made available in the device via PIN-protected smartcard. This makes it possible to symmetrically encrypt the asymmetric key exchange between two devices using a pre-distributed secret.
For cryptography on elliptic curves, the SINA L2 Box S also offers the option of secret curve parameters. This reduces the attack vector against attacks with quantum computers, since the curve parameters can be calculated when three points on the curve are known.
Separate data and cryptography
The high-performance SINA L2 Box S solution can also be used for the encryption of data transmitted via Wavelength Division Multiplex (WDM) connections. Here, encryption of the entire data stream between the end stations is often used (layer 1 encryption). However, only in a few exceptions is this currently certified for classified information. Another disadvantage of network layer 1 encryption is that it is not possible to separate the data transmission and cryptographic functions. However, especially in larger organizations, these are often the responsibility of different parties. If both functions are installed in one system, the responsibility for operation and configuration cannot be clearly assigned.
With the SINA L2 Box S, it is possible to encrypt complete 100Gbit/s wavelength links at network level 2 without this being noticeable in the network topology. Responsibility for cryptography and data transport can thus be separated according to requirements, and encrypted and unencrypted wavelengths can be transmitted together.
Use infrastructure efficiently
When networking different locations of public authorities and companies, there is a considerably increased demand for bandwidth, especially in star-shaped topologies at the main locations. Instead of using multiple parallel transitions, a high-performance SINA L2 Box S can be integrated. Duplication is then only required for redundancy reasons. As a result, both the connection infrastructure used (e.g., fiber optics) and the available space in the network node locations can be used much more efficiently.
Manage networks with cloud-based technologies
A software-defined wide area network (SD-WAN) uses software and cloud-based technologies to manage networks. This allows higher bandwidths to be achieved and costs to be reduced in modern network infrastructures. The high encryption performance of the SINA L2 Box S can be used to secure data exchange in this context.
In SD-WAN approaches, additional information is processed for packet forwarding by setting up sets of rules (policies). Among other things, the requirements of the applications used and the quality of the networks used are taken into account. For example, in the case of voice or video connections, data packets can be recognized as such and efficiently transported via a corresponding rule (e.g., always via the network with the currently lowest delay).
A distinction is made between the overlay and underlay of the data transport. The policy-based forwarding decision is made in the overlay. In the underlay, the data transport takes place between the sites. Since the underlay networks are usually spanned over infrastructure that is not trustworthy in terms of security, the data content must be encrypted at the latest at the transition between overlay and underlay.
A major advantage of using the SINA L2 Box at the transition between overlay and underlay is the routing of IP connections: Instead of individual IP-based forwarding on network level 3, only the corresponding data transport between the site transitions on network level 2 is processed in each case. The SINA L2 Box S thus provides a transparent and independent encryption function without affecting the network function provided by the SD-WAN.
If essentially sites and data centers are interconnected, the number of endpoints is usually in the small to medium range - but the individual bandwidths can sometimes become very high. The SINA L2 Box S, with its various performance levels from 10 Gbit/s to 40 Gbit/s and up to 100 Gbit/s, is ideally suited for this application scenario. The SINA L2 Box S 100G can be used both in point-to-point scenarios and as a headend for aggregation solutions.
This leaves network operators free to choose an SD-WAN solution in the unencrypted network area. In addition, the SINA L2 Box S offers a transparent VS-NfD-approved solution for secure data exchange "Made in Germany" that is independent of the respective SD-WAN manufacturer.