cpl.thalesgroup.

com

Thales CN4010 Network Encryptor

Compact, High-Performance Encryption

Setting a new benchmark for price and performance, the Thales

CN4010 Network Encryptor (CN4010) is a versatile, cost-
effective, and simple to use platform that is user configurable
to provide transparent and high-assurance FIPS and Common
Criteria certified network encryption at full line rate speeds. The
CN4010 is a purpose built hardware encryption solution that
ensures high-efficiency Ethernet encryption, utilizing cutting edge Why CN4010 Encryptors?
high performance, low voltage electronics to provide wire speed
encryption of all voice, video and data communications. Trusted Security

The CN4010 provides optimal defense-grade security in a cost • True end-to-end, authenticated encryption
effective value proposition. A desktop device, the CN4010 • State-of-the-art automatic zero-touch key management
is designed as an entry-level HSE solution for commercial • Designed for FIPS 140-2 L3, Common Criteria,NATO, UC
Small to Medium Enterprise (SME) sector customers or larger APL
organizations with modest network needs; and is also suited to • Preferred by market leading commercial and government
widely distributed computing environments and multiple branch enterprises in over 35 countries
office locations. Maximum Network Performance
• Microsecond latency (<10 μS)
• Near-zero overhead
• Self-Healing capabilities for maximum up time
Scalable and Simple
• Point-to-Point, Hub and Spoke and Full Mesh
• Fully auditable alarm and event logs from 3rd party
management tools
Performance Transport Independent Mode

The CN4010 is a high-performance encryptor, operating in full Transforming the network encryption market, Thales Network
duplex mode at 10/100/1000 Mbps full line rate without any Encryptors are the first to offer Transport Independent Mode
packet loss in point-to-point, hub & spoke or meshed environments. (TIM) - network layer independent (Layer 2, Layer 3, and Layer
Using Field Programmable Gate Array (FPGA) technology, the 4) and protocol agnostic data in motion encryption. By supporting
CN4010’s cut-through architecture processes data frames as they Layer 3, Thales Network Encryptors offer network operators more
are received, ensuring consistent low latency across all packet configuration options using TCP/IP routing for securing critical data.
sizes for optimal performance. As a high-assurance appliance, The
CN4010 also has the following benefits:
CN4010 Encryptor At-A-Glance
• Secure, tamper-proof,dedicated hardware Model CN4010
• Standards-based encryption algorithms
• End-to-end, authenticated network encryption Protocol and Connectivity
• Automatic ‘zero-touch’ encryption key management Maximum Speed 1 Gbps
Support for Jumbo frames P
Scalability
Protocol and application transparent P

The CN4010 is fully interoperable with industry standard network Encrypts Unicast. Multicast and Broadcast traffic P
equipment from leading vendors, and with ‘bump in the wire’ Automatic network discovery and connection establishment P
design and variable speed licenses up to 1 Gbps, it is easy
to install and highly cost-effective. “Set and forget” simplicity Security
and application and protocol transparency are underlying Tamper resistant and evident enclosure, anti-probing
P
design themes, ensuring simple implementation, operation and barriers
management, and minimal resource requirements. Devices can Flexible encryption policy engine P

be field upgraded on site with ease, for maintenance, feature Per packet confidentiality and integrity with AES-GCM
P
enhancements and security updates. The CN4010 also supports encryption*
unicast, multi-cast, and broadcast domains. Automatic key management P

Automatic key management P

Certified Security
Encryption and policy
The tamper resistant CN4010 is certified Common Criteria and AES 128 or 256 bit keys 128/256
FIPS 140-2 Level 3, and supports standards based, end-to-end
Supports optional 3rd party quantum key distribution (QKD) P
authenticated encryption, automatic key management, and
CFB, CTR, GCM Encryption modes* P
utilizes robust AES 256-bit algorithms. In order to future proof the
appliance, the encryptor is also compatible with Quantum Key Policy based on MAC address or VLAN ID P

Distribution to guarantee secure communication between devices. Self healing key management in the event of network
P
outages

State-of-the-Art Key Management Certifications

Common Criteria, FIPS P
The CN4010 removes reliance on external key servers and
provides a robust fault-tolerant security architecture and tamper- Performance
resistant chassis. Physical and virtual separation of duties ensures Low overhead full duplex line-rate encryption P

that only authorized users can access the keys. Encryption keys FPGA based cut-through architecture P
are generated and stored securely in hardware within the device’s Latency (microseconds per encryptor) < 10µS
tamper-resistant enclosure, and any unauthorized attempts to
Management
physically extract the keys will result in device zeroization.
Front panel LED display notifications P

The CN4010 supports hardware based random number Centralized configuration and management using SMC
P
generators and can use externally generated entropy for and CM7
intrinsic key generation and distribution. For future-proofing, Support for external (X.509v3) CAs P
the encryptors support Quantum Key Distribution (Quantum
Remote management using SNMPv3 (in-band and
Cryptography) and Quantum random number generation. out-of-band)
P

NTP (time server) support P

Next Gen High Speed Encryption CRL and OCSP (certificate) server support P

Crypto-Agility Maintainability & Interoperability

In-field firmware upgrades P
Thales Network Encryptors are crypto-agile, meaning they support
External plug pack P
customizable encryption for a wide range of elliptic and custom
curves support. The appliances also allow bring your own entropy * Pending firmware release
capabilities. The crypto-agile platform is future proof, allowing for
All specifications are accurate as at the time of publishing and are subject to
responsive deployment of next-gen or custom algorithms. In response
change without notice.
to the Quantum threat, Thales Network Encryptors already leverage
Quantum Key Distribution (QKD) and Quantum Random Number
Generation (QRNG) capabilities for future-proof data security.
Specifications About Thales
Cryptography The people you rely on to protect your privacy rely on Thales to
protect their data. When it comes to data security, organizations
• AES 128 or 256 bit key X.509 certificates
are faced with an increasing number of decisive moments.
• Fully compliant with Public Key Infrastructure (PKI) Whether the moment is building an encryption strategy, moving
Device management to the cloud, or meeting compliance mandates, you can rely on
Thales to secure your digital transformation.
• Dedicated management interface (out-of-band)
• Or via the encrypted interface (in-band) Decisive technology for decisive moments.
• SNMPv3 remote management
• SNMPv2c traps
• SNMPv1 read only monitoring
• IPv4 & IPv6 capable
• Alarm, event & audit logs
• Command line serial interface
Installation
• Size: (WxHxD)—(W:180mm/7.1”, D:126mm/5.0”,
H:32mm/1.3”)
• Weight: 0.5kg /1.1 lbs.
Interfaces
• RJ45 interfaces
• RJ-45 serial console
• Dual USB ports
• RJ45 LAN/AUX connectors
Power Requirements
• DC input 9-15V DC, 6W consumption
• AC plug pack 100-240V AC; 47-63Hz
Physical Security
• Active/Passive tamper detection and key erasure
• Tamper evident markings
• Anti-probing barriers
Regulatory
• UL Listed, EMC (Emission and Immunity)
• FCC 47 CFR Part 15 (USA)
• EN 60950-1 (CE), EN 55022 (CE), EN 61000-3-2 (CE),
EN 61000-3-3 (CE)
• EN 55024 (CE), EN 61000-3-3 (CE), EN 55024 (CE)
• ICES-003 (Canada), AS/NZS CISPR 22 (C-Tick)
Environmental
• RoHS Compliant
• Max operating temperature: 50°C /122°F
• 0 to 80% RH at 40°C/104°F operating
© Thales - July 2020• EH v2

> cpl.thalesgroup.com <

Americas – Arboretum Plaza II, 9442 Capital of Texas Highway North, Suite 100, Austin, TX 78759 USA • Tel: +1 888 343 5773 or +1 512 257 3900 • Fax:+1 954 888 6211 • E-mail: [email protected]
Asia Pacific – Unit 1106-1107, New Kowloon Plaza 38 Tai Kok Tsui Road, Kowloon Hong Kong • Tel:+852 2815 8633 • Fax:+852 2815 8141 • E-mail: [email protected]
Europe, Middle East, Africa – 350 Longwater Ave, Green Park, Reading, Berkshire, UK RG2 6GF • Tel:+44 (0)1844 201800 • Fax:+44 (0)1844 208550 • E-mail: [email protected]