Encrypted Ethernet Tunnel Utilizing FIPS Certified Encryption Module

FT Family Encrypted Ethernet Tunnel FIPS certified encryption module The FT-6606/6632/Soft creates encrypted tunnels FT-6606 0 to +40 C, FT-6632 +10 to +35 C FT-6606 - 3 configurable ports (1000BaseT) FT-6632 - 1 Trusted port, 1 Untrusted ports (1000BaseT) FT-Soft - Windows PC Software Client Easy to setup and maintain FT-6606 supports 40 Mbps up to 25 client units FT-6632 supports Up to 720 Mbps and up to 50 client units Operates as server, client, or client & server Extensive statistics, logging and diagnostics Tunnels at the Layer 2 level, including multicast Ethernet to Ethernet Bridge/Tunnel supports 4,096 MAC addresses Remote PCs appear to be on the local network Bridges 802.1Q tagged V-LAN trunks Extensive filtering on MAC, IP, and Protocols Transports data either TCP/IP or UDP UDP transport is ideal for voice and video

FT-6606 Front View FT-6632 Front View

FT-Soft Client Software

DESCRIPTION

The FT tunnels create an encrypted tunnel through IP networks. The FT-6606 features three Ethernet LAN ports and a serial port for initial setup, the FT-6632 offers 2 Ethernet ports and a serial port.

FT tunnels encrypt any ethernet data between private networks using the public Internet or any other network as the transport.

Each unit can be configered as a server, a client or simultaneous as both a client & server device. As a server, the FT-6606 supports up to 25 simultaneous client units. The FT-6632 supports up to 50 clients.

The Ethernet user data transport between FT units may be either TCP/IP or UDP. UDP is preferred for wireless links, for voice and for video transport. An FT server can support UDP and TCP/IP client units simultaneously.

The FT-Soft client software allows Windows workstations to connect to any FT server as a stand-alone client. This is quite useful for stand-alone dispatch workstations or portable notebook-based operations. Click here for more information on the FT-Soft software client.

The FT series uses a FIPS certified encryption module. AES is used for the bulk data encryption. SHA1 is used for signing and RSA 2048 for key exchange and authentication. A USB memory device is used for certificate information storage.

All FT-6606 and FT-6632 Ethernet ports are 10/100/1000BaseT. The serial port may only be used for initial IP setup. The FT's are typically setup and always managed using a web browser. The server should have a fixed or known DHCP IP address. Clients can use DHCP or have fixed IP addresses.

The FT series operate through firewalls using only one port of your choice opened. It bridges all Ethernet protocols including IPX, IP, NetBEUI, and other proprietary or unroutable protocols. The FTs are straight-forward, easy to configure and maintain. They have state-of-the-art AES encryption security without the configuration complexity of VPN.

For encryption of serial RS-232 links not involving ethernet or IP, see our SE-6600 product line. For encryption of ethernet or IP links using non FIPS certified modules and other features, see our UT or XT series products.

Due to the encryption employed in these products, FT series products are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. Some models of the ET and FT series are classified as mass market encryption devices and may not be exported or shipped for re-export to restricted countries in Country Group E:1.

SPECIFICATIONS

General

• One asynchronous DE-9P RS-232 serial port which may be for setup
• FT-6606 - Three Ethernet ports, 10/100/1000 BaseT
• FT-6632 – Two Ethernet ports, 10/100/1000 BaseT
• USB Port for certificate information storage
• FT-6606 sustained throughput of 40 Mbps
• FT-6632 sustained throughput of 720 Mbps
• FT-6606 supports up to 25 client units
• FT-6632 supports 50 clients units
• FT-Soft performance is determined by the PC workstation
• 4,096 MAC address table entries
• The FT encryption uses an embedded FIPS 140-2 validated cryptographic module (Certificate #1747) running on a Linux x86 platform per FIPS 140-2 Implementation Guidance section G.5 guidelines

Protocol Features

• TLS ver 1.0, AES 256 bit encryption
• Optional UDP transport for Ethernet data with AES 256 bit encryption. When in UDP mode, certificate exchanges and authentication use TCP/IP
• Web browser configuration and management from local trusted interface
• Robust failover features
• Default IP address: 192.168.0.1
• Initial setup via local serial terminal
• Supports tunneling of 802.1Q VLAN
• Extensive filtering on MAC, IP, and Protocol
• Tunnels multicast packets (Layer 2 tunneling)

Performance:

• FT-6606 sustained throughput is 40 Mbps, FT-6632 - up to 720 Mbps half Duplex, 360 Mbps full duplex Mbps
• The FT-6606 supports up to 25 client devices, FT-6632 - 50 client devicess
• FT-Soft performance is determined by the PC workstation
• Maximum 4,096 MAC address table entries

Indicators

• Power, port activity,LAN connection, LAN activity

Physical/Electrical

• Power: 12 VDC, 4 to 10 watts depending up on CPU load
• 12, 24, 48, 125 VDC and 240 VAC options are available
• Supplied with 100-240 VAC external supply
• Dimensions: 6 5/8” x 6 1/4 1” x 1 1/4”
• Shipping weight: 5 pounds
• Temperature rating 0C to +40C

• Power: 100 or 240 VAC Typically 200 watts maximum
• Dimensions: 17.2” W x 9.8” D x 1.7” H
• Shipping weight: 12 pounds
• Temperature rating: Operating +10C to +35C 8% to90% RH, Storage -40C to 70C, 5% to 95% RH

Environmental

• Humidity: Non-condensing

APPLICATIONS

How it works

Download a copy of the manual.

Just The Facts, Please.

Read the encryptor FAQ for quick answers to questions others have asked. Just click here.

---

Quick-start guide to the XT family products.

This application note guides the new XT user from opening the boxes to having a working encrypted tunnel between two XT units on a test bench. Step-by-step instructions make it quick and painless to learn the configuration process. Uses the XT-hEX as an example, but also covers other XT products.

Troubleshooting guide for the above Quick-start.

If it didn't go well and doesn't immediately work, this guide offers some troubleshooting hints. Most people won't need this, but it's here if you do.

What Do Those Tunnel Log Entries Mean?

When analyzing logs from DCB Tunnels (XT, UT, ET, and FT), there are often log entries that are surprising to the new user. We discuss those here.

Configuring the LAN3 on the XT-hEX, a Quick-start guide.

Most people won't need this, but if you want to use the third LAN port on the XT-hEX, this information will help you configure it.

All DCB ethenet encryptors operate similarly, with differences being in the protocols, capabilities, and authentication methods. Since the topology is comparable for all of them, we show application notes for all these products together.

DCB's Encryption Product Export Statement

Some of our encryption products are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. Some are classified as mass market encryption devices and may not be exported or shipped for re-export to restricted countries in Country Group E:1. They are exportable to most other countries. Read our Encryption Product Export Statement here for more specifics.

Using XT Tunnels with IP Radio Dispatch Systems.

Radio installers rely on DCB tunnel products to implement secure networks for mission critical applications. DCB Encryptors (XT, UT, and ET roducts) enable IP dispatching across multiple networks. They remove the multi-cast problem faced in many IP network installations so are frequently used along with Telex, Motorola, Kenwood, Harris, Zetron, AVTEC, and other two-way radio consoles. This document describes some of those techniques with examples we've seen at PSAPs and other dispatch centers.

Tunnel Product Security In Perspective.

Our encrypted tunnel appliances provides a LAN -to- LAN encrypted tunnel between locations. It employs a layer three (UDP/IP or TCP/IP) connection between two or more tunnel devices to create a secure, AES encrypted tunnel. For export purposes, the Some models are considered a Mass Market Encryption Device by the Department of State Bureau of Industrial Security and are export limited.

This product line meets HIPPA and most government standards for non-classified data transfer. However, it is not NIST FIPS 140-2 approved. For a FIPS 140 approved product, the (more expensive) FT line of encryption appliances is required. This note discusses the security implications of using our encrypted tunnels.

Redundancy Techniques Using DCB Tunnel Devices and Software.

Users have come to rely on DCB tunnel products to implement secure networks for mission critical applications in which downtime must be kept to a minimum. Thus it is not unusual for customers to ask questions about techniques that may be applied to make the tunnel network more robust. This document describes some of those techniques with examples.

Quick-start guide to the XT-3306.

This application note guides the new XT-3306 user from opening the boxes to having a working encrypted tunnel between two XT-3306 units on a test bench. Step-by-step instructions make it quick and painless to learn the configuration process. One difference between the XT and the UT/ET families is that the XT allows the selection of TCP and UDP protocols for the tunnel path.

Troubleshooting guide for the above Quick-start.

If it didn't go well and doesn't immediately work, this guide offers some troubleshooting hints. Most people won't need this, but it's here if you do.

Quick-start guide to the UT-3302.

This application note guides the new UT-3302 user from opening the boxes to having a working encrypted tunnel between two UT-3302 units on a test bench. Step-by-step instructions make it quick and painless to learn the configuration process.

Troubleshooting guide for the above UT-3302 Quick-start.

If it didn't go well and doesn't immediately work, this guide offers some troubleshooting hints. Most people won't need this, but it's here if you do.

Encrypted Bridge Installation Option

An application note describing an appliance-like installation that allows the Tunnel to be located anywhere on the local LAN. Known around DCB as the "Single-Port Installation".

Using the UT Encrypted Bridges and UT-SOFT with IP Multicast.

Discusses applying the UT products to transport VOIP multicast via non-multicast wide area networks. Examples showing IP voice dispatch radios for public service agencies. The UT supports multi-cast IP over normal uni-cast networks and allows a private multi-cast network to span multiple IP networks. The UT-SOFT software client allows any PC to be a securely connected node on a remote network

Motorola MIP 5000 VoIP Radio Console VPN Solution Guide

This Motorola produced MIP 5000 VoIP Radio Console VPN Solution Guide features a virtual private network (VPN) solution that has been tested with MIP 5000 VoIP Radio Console. The VPN solution uses a pair of encrypted Ethernet bridges to provide a secure Ethernet tunnel between the dispatch center and a remote MIP 5000 console. The secure Ethernet tunnel supports a remote console operator receiving audio from and transmitting audio to radio channels and other MIP 5000 consoles using AES encryption.

UT Tunnel Installation Note - "Living On a Wild Feed... Safely"

This short application note summarizes the options and requirements for directly connecting the untrusted interface of UT encrypted tunnels to the Internet. Yes, the UT tunnels may be safely living on the wild side of your firewalls and if properly configured appear to be a "black hole" to your adversaries!

Using the UT for Remote Management Applications Since the UT along with UT-Soft enables a remote workstation to have a virtual presence on a remote LAN segment, it's quite useful for network monitoring and analysis, similar to a RMON without the headaches. Download an application note that discusses using UT-Soft and our UT servers for remote LAN network montoring.

ET Encrypted Bridge Quick-Start Installation Guide

A cookbook style quick start guide to installing the ET Encrypted Bridges. Illustrates common usage examples with fill-in-the-blank instructions.

ET-3302/6600 Encrypted Bridge Applications

Some ways the ET products are being used to tunnel IP traffic in the real world.

Using the ET-6601 Encrypted Bridge with EVDO & Wifi

Discusses using the ET-6601 with high speed cellular modems and 802.11 Wifi wide area connections.

ET Encrypted Bridge Installation Option

An application note describing an appliance-like installation that allows the ET to be located anywhere on the local LAN. Known around DCB as the "Single-Port Installation".

Using the ET Encrypted Bridges with 801.Q VLANs

Discusses configuring the ET products to handle 801.Q VLAN traffic. The ET supports 801.Q VLAN tagged packets, and allows a VLAN to span multiple IP networks.

Using the ET Encrypted Bridges with IP Multicast.

Discusses applying the ET products to transport VOIP multicast via non-multicast wide area networks. Examples showing IP voice dispatch radios for public service agencies. The ET supports multi-cast IP over normal uni-cast networks and allows a private multi-cast network to span multiple IP networks.

Automating Dial-Up Router and Bridge PPP Connections

An application note that details one common method of automating the use of IP-6600 routers and ET-6600 bridges to dial multiple remote locations on a scheduled or automated basis.

Data Comm for Business Inc. 2949 County Road 1000 E Dewey, Il 61840	Voice: 217-897-6600 Toll Free: 800-4-DCB-NET Toll Free: 800-432-2638	Email: Contact Page Web: www.dcbnet.com Fax: 217-897-8023
All DCB web pages copyright ©1995- Data Comm for Business, All rights reserved. EtherPath®, EtherSeries®, EtherPoll®, EtherBridge® and EtherModem® are Registered Trademarks of Data Comm for Business, Inc.