Black Box ET0010A User Manual

Getting Started with ETPM

138

EncrypTight User Guide

A policy specifies what traffic to protect and how to protect it. Each packet or frame is inspected by the 
PEP and processed based on the filtering criteria specified in the policy. Each policy specifies:

●

The PEPs to be used

●

The ETKMSs to be used

●

The networks the PEPs will protect

●

The action that is to be performed (encrypt, send in the clear, or drop)

●

The kind of traffic the policy affects

Filtering criteria can be high level, such as “encrypt everything,” or more granular, specifying traffic 
based on IP addresses, protocols, or VLAN ranges. After applying the traffic filters, the PEP takes one of 
three actions: it encrypts the packet (IPSec), passes it in the clear (bypass), or it drops the packet. 

●

●

EncrypTight supports policies for Layer 2 Ethernet networks and Layer 3 IP networks, based on the type 
of PEPs used for encryption. Supported IP topologies are:

●

Hub and spoke

●

Mesh

●

Point-to-point 

●

Multicast 

Layer 3 IP policies protect IP traffic using ETEP PEPs.

IP policies consist of four components:

●

ETEP PEPs enforce the policies

●

ETKMSs distribute the keys and policies to the PEPs

●

Networks identify the IP addresses of the networks included in the policy

●

Network Sets associate the networks to the protecting PEPs and the supporting ETKMS

In Layer 2 Ethernet, the supported topology is meshed networks. If an Ethernet network uses VLAN ID 
tags, a virtual point-to-point topology can be established. 

Layer 2 Ethernet policies protect Ethernet traffic using ETEP PEPs. An Ethernet policy can be applied to 
all Layer 2 traffic or restricted to traffic that contains VLAN ID tags that fall within a given range. 
Ethernet policies consist of three components:

●

ETEP PEPs enforce the policies