Strengths: Makes managing IPsec connections across the enterprise easy. We liked the performance of this tool purpose-built for encryption.
Weaknesses: Might be pricey in an enterprise deployment.
Verdict: This purpose-built offering offers great enterprise features. It is a very nice enterprise-class solution. We make this one our Best Buy.
SummaryThe CipherOptics CEP series of network encryption devices combine with CipherEngine Policy and Key Manager to encrypt traffic across a range of network types, sizes and topologies. CipherEngine acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to CipherOptics encryption appliances.
CipherEngine consists of a suite of tools that perform various tasks. CipherView is the network management component. It is used to configure and manage the encryption appliances. The Management and Policy Server (MAP) is used for policy generation and management. Users employ the MAP function to create polices for hub and spoke, mesh, Layer 3 point-to-point and multicast networks that require common keys to secure traffic between multiple nodes. Key Authority Point (KAP) is the key generation and distribution tool that is used with MAP-generated policies. Policy Enforcement Points (PEPs) are the encryption appliances that enforce the security policies.
We tested using the CEP 100 as our gateway and the CipherEngine software as our client using a local KAP. The gateway requires a serial connection for initial configuration. Once users assign IP information, the rest of the configuration is done through the web interface. The client was easy to install and use. The local key generation happens through a command line window.
The product was designed to work on any topology and any network and is typically deployed between the edge router and the switch. Supported Layer 2 topologies include point-to-point, hybrid, mesh and 802.1q (VLAN) tagged links. Protection for Layer 3 includes multicast, broadcast and MPLS networks. High availability features, such as multi-home and load-balanced scenarios, deliver enterprise-class protections. The product works as an inline device that inspects every packet -- allowing for granular policy choices to encrypt, clear text or discard.
A feature we particularly liked was the ability to permit encryption of packet data while leaving port and protocol information in the clear, allowing functionality, such as port-based QOS, NAT, policy-based routing and Netflow statistic collection, to operate unimpeded after encryption.
The price of the CEP10-R is $2,400, the CEP100 is $9,800, and the CEP1000 is $30,000.
90-day support is provided under the warranty period. Multiple support options are available for fees ranging from 10 to 15 percent of list price.