THE BACKBONE OF ULTRA-SECURE COMMUNICATION

KATIM Gateway 9011 has been designed from the ground up to mitigate these risks. The field-upgradeable platform integrates post-quantum resistant cryptographic primitives with a modern tunnelling protocol for protecting data in transit. Complete lifecycle tamper detection and response ensures the integrity of the hardware while management access is secured with enforced segregation of duties with hardware-based multi-factor authentication. 

Experience exceptional user satisfaction with the KATIM Gateway’s hardware-based, QoS-aware cryptographic implementation, which guarantees optimal performance for video and voice applications, even in parallel to bulk transfers. QoS-aware encryption planes isolate traffic in different classes of service to eliminate impact of congestion in transit network to higher priority encrypted traffic. 

Versatile and adaptable, the KATIM Gateway 9011 offers capacity options of 1/4/10 Gbps and supports both L2 and L3 tunnelling, making it ideal for protecting data in transit in the broadest variety of networks. In addition to point-to-point connections, meshed or hub/spoke deployment architectures are supported. 

KATIM Gateway 9011 brings you the next generation of secure data protection.

KEY FEATURES:

• Next generation high performance hardware platform with a full lifecycle tamper detection / response.
  Unparallel deployment flexibility in a single device:
  • L2 or L3 encryption
  • 1/4/10 Gbps cryptographic capacity options
  • 100/1000/10GBASE-T copper
  • 1000BASE and 10GBASE SR / LR / ER fiber
• Integrated data diode ports enable hardware-enforced uni-directional secure data transfers between networks with incompatible security policies.
• Three-level physical red / crypto / black isolation for reduced attack surface to sensitive data from external interfaces.
• Custom-designed and hardened peer authentication, key exchange and data tunneling protocol to mitigate many classes of vulnerabilities by design.
• Standards-based or custom national cryptographic algorithms to secure your data and key exchanges in postquantum world.
• Software-programmability for crypto, security, management, networking to protect your investment for years post the initial deployment.
• Application- and QoS-aware in-transit protection delivers ultimate user experience by minimizing impact of traffic shaping and loss in a cipher network.
• KATIM Gateway OS-powered and KATIM Gateway Network Management Suite managed for operational simplicity, functional parity and full interoperability in mixed KATIM Gateway product deployments. 

CRYPTOGRAPHY AND SECURITY

CRYPTOGRAPHY

• Standards-based or custom national Crypto
• Post-quantum resistant primitives
• 512-bit or stronger keys for elliptic curves and 256-bit symmetric keys for 256-bit security
• 1/4/10 Gbps bi-directional cryptographic capacity

IN-TRANSIT DATA PROTECTION 

• L2 or L3 VPN for up to 500 KATIM® Gateways in point-topoint and/or mesh configurations
• Authenticated key exchange
• Dual-layer asymmetric handshake leveraging both classical and post-quantum cryptography
• Frequent re-handshake with ephemeral keys for enhanced post compromise security
• Per-packet confidentiality and integrity protection
• Aggressive, customisable key ratcheting of per encryption tunnel keys
• Peer identity protection
• Secure bypass for traffic not requiring encryption

KEY MANAGEMENT

• Non-deterministic hardware-based random number generators from multiple vendors
• In-device generated non-exportable peer authentication private keys
• Ephemeral keys generated for each handshake
• KATIM Gateway NMS Customizer application orchestrates key generation and certificate signing

TAMPER- PROOF, SECURE DESIGN

• HW designed for FIPS 140-2 Level 4 compliance
• Strict red/crypto/black separation in HW
• Multiple layers of mechanical, temperature and anti-drill mesh sensors.
• Always-on, battery-backed tamper detection and response
  Hardware protected root of trust, encrypted non-volatile storage and secure boot

MANAGEMENT

LOCAL & REMOTE MANAGEMENT

• Local management using RS-232
• 100/1000BASE-T IPv4 remote management
• SSH, SNMPv3, rSysLog, TLS, secure NTP, SFTP
• Role-based access control with enforced multi-factor authentication using USB tokens
• DDoS protection for management traffic
• KATIM Gateway Network Management Suite applications for offline management and future on-line management

NETWORKING

DATA PLANE 

• Four cipher and plain SFP+ ports for pluggable copper or optical transceivers
  – 100/1000Base-T/10GBASE-T
  – 1000BASE- and 10GBASE-SR / LR / ER fiber
• Untagged 802.3 Ethernet II or single VLAN tagged 802.1Q/p Ethernet traffic on plain and cipher
• VLAN translation on plain/cipher
• Jumbo frames up to 9216 bytes
• MAC learning, ARP, GARP, ICMP, ICMP Path MTU discovery
• Policy-based forwarding/routing, static routing and dynamic routing (future)
• Ingress replication on plain interfaces for broadcast and multicast
• Integrated data diode

QUALITY OF SERVICE

• Up to 8 QoS-aware encryption planes for each gateway to gateway association with independent encryption keys for true voice/video/data end-to-end QoS
• User-configurable or automatic mapping of plain traffic to QoS-aware encryption planes
• Four internal classes of service for user traffic to ensure ultralow latency and discard priority on congestion within the KATIM Gateway
• QoS remarking on plain/cipher

SPECIFICATIONS