How to Protect Data-in-Motion

Data-in-motion, also called data-in-transit, refers to digital information when transferring between network system nodes. Once the data is stored on a hard drive or network attached storage (NAS), it is considered data-at-rest.

Equipping your military system with capable technology and protecting sensitive data from external threats is a top priority for system integrators and operators. Data can be exposed to risks both while in motion and at rest and requires protection in both states. To this end, encryption is key to maintaining the data’s integrity throughout its intended course. Multiple standards-compliant systems that ensure the security of sensitive and classified data are available in layered encryption of hardware, software, or a mix of both for system integrators to choose from.

Protecting your Data: Encryption Methods

IPsec Encryption

Internet Protocol Security (IPsec) is a suite of secure network protocols that authenticates and encrypts packets between two communication points over a Layer 3 IP wide area network (WAN). Network routers and security systems that support commercial VPN capabilities are traditionally built around IPSec and similar well-known cryptographic standards.

MACsec Encryption

When a Local Area Network (LAN) needs to protect Layer 2 Ethernet traffic, MACSec (802.1AE)  encryption can authenticate and safeguard data. The MACsec standard enhances local area network (LAN) traffic security by identifying unauthorized LAN connections and excluding them from communication within the network. In addition, the protocol authenticates nodes through a secure exchange of randomly generated keys, ensuring data can only be transmitted and received by MACsec-configured nodes.

NSA Type 1 and CSfC Solutions

Traditionally, the U.S. government has used National Security Agency (NSA) Type 1 equipment built around classified algorithms to secure network traffic. However, this technology was generally only available to the government and its contractors, and its use comes with many burdensome restrictions and custodial requirements. In recent years, protecting a military platform’s classified data-in-motion as it’s routed over an IP network has become more accessible, more affordable, and faster to deploy, with the NSA’s approval of the use of commercial encryption technologies.

The Commercial Solutions for Classified (CSfC) program is an NSA initiative that allows commercial off-the-shelf (COTS) solutions that have been verified and approved to meet national security standards to be used for layered solutions protecting national security system (NSS) data that is classified up to Top Secret. This approach makes it far less burdensome to secure embedded network communications on-board an aircraft, vessel, ground vehicle, carried to the tactical edge, or even used in a home or field office. That’s because integrators can use a layered commercial solution based on public cryptography and secure protocol standards.

CSfC requires the use of two encryption layers, both of which can be either hardware, software, or a mix of the two. In addition, system integrators can select approved commercial components from the NSA Central Security Service (CSS) components list, which shows system designers what cybersecurity solutions are approved to speed their system development.

Solutions for Protecting Wired Data-in-Motion

As a solution technology integrator (STI) for Cisco Systems, Curtiss-Wright integrates Cisco’s ESS-3300 embedded switch and ESR-6300 embedded router cards into rugged systems for military use cases. These Cisco technologies have undergone rigorous testing and obtained certifications, including FIPS 140-2, Common Criteria, and approval as CSfC components. These Cisco technologies are based on enterprise-grade Cisco IOS-XE software, which provides network security features that ensure highly secure voice, video, and data communication. In addition, IOS-XE has been validated on many other Cisco products for both Common Criteria and CSfC.

Switching solutions featuring CSfC-approved Cisco ESS-3300

26-port rugged Cisco switch with PoE

Parvus DuraNET 3300 10G/1G Rugged Ethernet Switch

For Layer 2 (LAN) Ethernet switch traffic data-in-motion security using MACSec, Curtiss-Wright’s Parvus® DuraNET® 3300 and PacStar PS444 and PS446 rugged Ethernet switches package Cisco’s ESS-3300 technology in small form factor (SFF) chassis that combines mechanical ruggedness with Cisco’s high-performance IP networking capabilities. Both the Parvus and PacStar solutions use the same Cisco technology; they are packaged in different ways with different connector types, different levels of ruggedness, etc. With Cisco Network Essentials or Network Advantage IOS-XE software licenses options, the units can support managed Layer 2 switching and Layer 3 dynamic routing with a comprehensive set of secure network services.

PacStar 444

PacStar PS444

 

Routing Solution featuring CSfC-Approved Cisco ESR-6300

6-port rugged Ethernet router

Parvus DuraMAR 6300 Rugged Ethernet Router

To secure data-in-motion for Layer 3 Wide Area Network (WAN) data, Curtiss-Wright’s Parvus DuraMAR® 6300 and PacStar PS447 integrate Cisco’s ESR-6300 router card and IOS-XE software into rugged systems suited for size, weight, and power (SWaP)-constrained military and civil vehicle/aircraft installations. Packaged in different ways with different connector types and levels of ruggedness, these SFF secure network routers are ideal for red-black architectures, leveraging Commercial National Security Algorithm (CNSA) suite cryptography for IPsec (aka NSA Suite B).

PacStar 447

PacStar PS447

 

Solutions for Protecting Wireless Data-in-Motion

The NSA now allows classified information to be transmitted on wireless connections, even over public and partner networks, using two sets of encryption technologies (such as Cisco and Aruba VPNs), one layered inside the other. The NSA has also approved combinations of solutions that include a layer of VPN combined with encryption provided by Wi-Fi, TLS, or MACsec, following specific guidelines.

Curtiss-Wright offers turnkey solutions based on its PacStar® 400-Series modules that can be used in a CSfC solution. These solutions are available directly from Curtiss-Wright and through other large DoD-focused systems integrators/prime contractors.

Curtiss-Wright collaborates closely with industry-leading, enterprise-class makers of networking, encryption, and cybersecurity technologies – integrating, testing, and certifying their technologies into PacStar modular systems. We provide the solutions in a pre-integrated and configured state and customize the solutions to meet program requirements.

PacStar CSfC Solutions are managed by PacStar IQ-Core® Software Crypto Manager (CM) to simplify maintenance, unify management, reduce complexity, decrease downtime, and shorten training for system administrators. PacStar IQ-Core CM significantly reduces equipment costs over Type 1 encryption hardware and enables U.S. coalition partner interoperability without using controlled cryptographic items (CCI).

Explore more of our trusted, secure solutions below.


VPX3-1260

DTS1

Parvus DuraNET 3300 + CHAMP-XD1S

TrustedCOTS™ Processing Modules

Data-at-Rest Encryption & Secure Storage Solutions

All Trusted Computing Solutions

Connect With Curtiss-Wright Connect With Curtiss-Wright Connect With Curtiss-Wright
Sales

CONTACT SALES

Contact our sales team today to learn more about our products and services.

YOUR LOCATION

PRODUCT INFORMATION

Support

GET SUPPORT

Our support team can help answer your questions - contact us today.

REQUEST TYPE

SELECT BY

SELECT Topic