ULTRA - SECURE ENCRYPTION FOR MOST DEMANDING ENVIRONMENTS

KATIM Gateway 9001-R has been designed from the ground up to mitigate these risks. The field-upgradeable platform integrates post-quantum resistant cryptographic primitives with a modern tunnelling protocol for protecting data in transit. Full lifecycle tamper detection and response ensures integrity of the hardware while management access is secured with enforced segregation of duties with hardware-based multi-factor authentication.

KATIM Gateway 9001-R device can be used in most demanding environments including in-motion deployments, being ideal for protecting data in transit in the widest variety of networks requiring a ruggedized solution.

Hardware-based, QoS-aware, cryptographic implementation ensures excellent user experience for video and voice
applications, even in parallel to bulk transfers. QoS-aware encryption planes isolate traffic in different classes of service to eliminate impact of congestion in transit network to higher priority encrypted traffic. In addition to point-to-point connections, meshed or hub/spoke deployment architectures are supported.

KEY FEATURES:

• Purpose-designed to deliver network encryption for most demanding environments and in-motion deployments.
• Fully ruggedized, next-generation, high-performance platform with a full lifecycle tamper detection / response.
• Unparallel deployment flexibility in a single device:
  • L2 or L3 encryption
  • Up to 1 Gbps cryptographic capacity options
  • 10 / 100 / 1000BASE-T copper
  • 1000BASE-SX / LX / EX fibre
• Red / crypto / black separation for reduced attack surface to sensitive data from external interfaces.
• Custom-designed and hardened peer authentication, key exchange and data tunnelling protocol to mitigate many classes of vulnerabilities by design.
• Standards-based or national ciphers to secure your data and key exchanges in post-quantum world.
• Software-programmability for crypto, security, management, networking to protect your investment for years post the initial deployment.
• Application- and QoS-aware in-transit protection delivers ultimate user experience by minimizing impact of traffic shaping and loss in a cipher network.
• KATIM Gateway OS powered and KATIM Gateway Network Management Suite managed for operational simplicity, functional parity and full interoperability in mixed KATIM Gateway product deployments.

CRYPTOGRAPHY AND SECURITY

CRYPTOGRAPHY

• Standards-based or national Crypto Suite
• Post-quantum resistant primitives
• 512-bit or stronger keys for elliptic curves and 256-bit symmetric keys for 256-bit security
• Up to 1 Gbps bi-directional encryption capacity

IN-TRANSIT DATA PROTECTION

• L2 or L3 VPN overlay with full tunnelling
• P2P and (M)P2MP hub-and-spoke or mesh topologies
• Authenticated key exchange
• Dual-layer asymmetric handshake leveraging both classical and post-quantum cryptography
• Frequent re-handshake with ephemeral keys for enhanced post-compromise security
• Per-packet confidentiality and integrity protection
• Aggressive, customizable key ratcheting of tunnel-specific data plane encryption keys
• Peer identity protection
• Optional, secure bypass for traffic not requiring encryption 

KEY MANAGEMENT

• KATIM Gateway Customizer application for key management
• In-device generated, non-exportable peer authentication private keys
• Ephemeral keys generated for each handshake
• QRNG and non-deterministic, hardware-based random number generators from multiple vendors

TAMPER- PROOF, SECURE DESIGN

• Battery backed tamper detection and response for full device lifecycle. Multiple layers of mechanical, temperature and anti-drill sensors.
• HW designed for FIPS 140-3 Level 4 compliance
• Hardware protected root of trust, encrypted non-volatile storage and secure boot

MANAGEMENT

LOCAL & REMOTE MANAGEMENT

• Local management using USB or a plain I/O port
• In-band remote management
• SSH, SFTP, SNMPv3, rSysLog, TLS1.3, authenticated NTP
• Role-based access control with enforced multi-factor authentication using USB tokens
• KATIM Gateway Network Management Suite applications for off-line and on-line management

NETWORKING

DATA PLANE

• Cipher and plain ports for copper or optical
  10/100BASE-T/1000Base-TX RJ-45, or
  1000BASE-SX, LX and EX SFP
• Plain/cipher: untagged 802.3 Ethernet II or single VLAN tagged 802.1Q/p Ethernet
• Jumbo frames up to 9216 bytes
• ARP, GARP, ICMP, unknown MAC learning
• Policy-based forwarding/routing, static routing and dynamic routing with OSPFv2
• Ingress replication on plain interfaces for broadcast and multicast

QUALITY OF SERVICE

• Up to 8 QoS-aware encryption planes for each gatewayto-gateway association with independent encryption keys deliver best voice/video/data end- to-end QoS in a presence of cipher network failure/ discards.
• User-configurable or automatic mapping of plain traffic to QoS-aware encryption planes
• Internal classes of service with configurable mapping ensure optimized latency and deliver discard priority on congestion within the KATIM Gateway

SPECIFICATIONS