Text: Intelligent Solutions for the
Highest IT Security Requirements
5 - lnformation security from the
architects of modern cryptographic systems
SlNA (Secure Inter-Network Architecture)
enables the protected processing, storage,
transfer and also a full audit trail of classified
information and other sensitive data. The
portfolio comprises various SlNA clients,
gateways, link encryptors, SlNA Workflow
as well as the SlNA Management. All SlNA
products have successfully been used by
with national and international customers
for a number of years.
The idea for the project originally arose
from the demand for secure communication within local networks in the context of
the German federal government's move
from Bonn to Berlin. Furthermore, there was
a general need for encryption technology at
the lnternet Protocol (IP) level for protecting
secret material that would be suitable for
use in secure communication across wide
area networks (WAN).
The German Federal Office for lnformation
Security (BSI) outlined the broad concept
for SlNA towards the end of the 1990s. In
December 1999, the BSI awarded secunet
Security Networks AG with the development of the SlNA product series.
The essential idea behind this security
architecture is the comprehensive protection
of data classified at various levels, both
locally and during transfer via open networks. SlNA arose from the aspiration to
create solutions that were consistent with
the exceptional security requirements of
national and international ministries, public
authorities, the armed forces and private
companies entrusted with classified materials. As a security partner of the Federal
Republic of Germany, secunet takes these
specifications fully into account in designing and manufacturing its product range.
Our secure network architecture has made
considerable advances over the past decade and has continued to set new standards
in the high security market.
"All SlNA products undergo a strict evaluation process conducted by
the BSI. Before any product can be approved, all of its components
are subjectc 'to thorough and comprehensive testing. SlNA product-
for lnformation Security
Modular system architecture
for high security
SINA's holistically designed architecture
makes it the intelligent solution for virtually
any requirement in the area of high security;
with its sheer range of performance, it is
uniquely positioned in the global market. All
SlNA products comply with the highest
reliability standards and are constantly
undergoing further development. SlNA
ensures confidentiality of processing and
communication at all national classification
levels and for every conceivable scenario.
'3n 1 3 t 1 3 3 ~
Pue 13t133S OlVN 6u!~nl3u!PUB 01 dn
laAal leuo!$eula$u!$B s l e ~ o ~ d dpau!elqo
osle sey VNIS aloulay$Jnj ' ( ~ s gA$!~n3as
l04 a3y40 IeJapaj u e w ~ a 3
104 A u e u ~ a 3U! A$!~oy$ne
a$eu!lln ay$Aq W13H30 DN3UlS 40 laAal
leuo!$su$say6!y ay$ o$ dn
asn l 0 4 p a ~ o ~ d duaaq
paseq-z~asdlAluo ay$S! VNIS
Apoq Gu!syoy$nele!ayjo ay$Aq paao~ddv
At the top level of the SlNA security layers are applications
of different levels of classification that are strictly separated from each other. These contain widely available guest
operating systems and applications encapsulated in virtud, and thin-client funcal computers (PCs) on the one
tionalities on the other.
IT security functions
Numerous highly sophisticated security modules that
have been staggered at multiple levels deep in the system
(e.g. l ~ s e cencryption, access control, firewall functionality, intrusion protection) guard SlNA against external
Secure system platform
The software foundation of SlNA technology is the
severely pruned SlNA Linux, which has been functionally
hardened and intensely evaluated for security. Embedaea in the system platform are a Smartcard - the cryptographic anchor - and the cryptographic file systems.
The hardware, which has been dimensioned and configured to conform to classified information approval standards, comes in special design types that offer protection
against eavesdropping (TEMPEST) and manipulation, as
well as cryptographic modules and appropriate hardening. Furthermore it contains firmware that has been eval-
What makes SlNA so powerful?
Scenarios for use
. ~ .
. . . . .,... . . . . . . . . .
'. ., .
; :. . ',. .
. .. ., ..,.,
.. . 3.: :.' .,,..
'. = * ..,.,:
::.,. '. : . ..,.
'. i ' . , s . g . :
, .. .......
*. . .
. ". , ..........
, . ........
.. . . . .
. . . . . ............
'.....,..... . ... ...
' . ...
-.' . r ' . . . . . . . ...I . . . ...
. - ...
,, ,,,:::. : z ?:.p>.>
: ..: t
.-... - ,..:.:."',. . G'** 7,e
. , . h
SINA L3 Box
SlNA L3 Box as a VPN gateway is the central core component in high-security networks. The data that is exchanged between
SlNA L3 Boxes, or indeed between SlNA
clients and SlNA L3 Boxes, is transmitted
securely via so-called 'cryptographic VPN
tunnels'. SlNA L3 Boxes are used to connect government bodies and private com-
pany networks via public connections, e.g.
the internet. SlNA L3 Boxes additionally
serve as cryptographic network access
points to permit access by SlNA clients to
(terminal) server areas. SlNA L3 Box has
been acknowledged as the standard solution for many years now.
Established in complex high-security networks
SlNA Management in online operation
STRENG GEHEIM (Germany)
NATO SECRET (NATO)
SECRET UE (EU
SINA L3 Box S 30M
SlNa L3 Box S ZOOM
SlNA L3 Box S 1
SlNA L3 Box H R 200M 9DIP 27A
(planned for 2013)
SlNA L3 Box S 3G
SlNA L3 Box E 400M Zone 1
SINA L3 Box H ZOOM Zone 1
SlNA L3 Box H 200M SDlP 27A
SlNA Workstation can be used as both a
mobile or stationary crypto-client. SlNA
Workstation users can work when they
need to, using their usual operating environment (e.g. MS Windows), with complete security and convenience, online as well as offline, in the office or on the road. Working in
different security zones is made possible by
operating multiple guest systems in parallel
(e.g. simultaneously in a classified network
and the internet).
This all-round security concept means that
SlNA Workstation is able to offer considerably more than a conventional cryptographic
device, i.e. Smartcard, VPN, hard drive
encryption, interface control or a secure
operating system. Guest operating systems such as Linux or MS Windows and all
sensitive data are always separately and
securely stored in their own cryptographic
Parallel operation of virtualised and separately
classified MS Windows or Linux guest systems
Approval up to and including:
NATO CONFIDENTIAL (NATO)
RESTREINT UE (EU)
SlNA Workstat~onE Desktop Zone 1
SlNA Workstation H Desktop Zone 1
SlNA Workstation H Desktop SDlP 27A
Mobile, highly secure processing,
SlNA Workstation H R Notebook Zone 1
SlNA Terminal is a crypto-client that does
not use a hard drive. It communicates with
servers via so-called 'Remote Desktop
Protocols'. This exceptionally lean-dimensioned client is just an 1/0 device for
graphics, mouse, keyboard and sound.
Data is transferred in encrypted form to the
terminal server, where the actual data
processing and storing is carried out.
Established in complex high security networks
Work stations with multiple PCs in differently
classified networks consolidated in one single
Approval up to and including
STRENG GEHEIM (Germany)
NATO SECRET (NATC
SECRET UE (EU'
SlNATerminal E Desktop Zone 1
SlNA Terminal H Desktop Zone 1
SlNA Terminal H Desktop SDlP 27A
SINA L2 Box
The SlNA L2 Box series offers components
of unprecedented performance for the secure exchange of information in networks
at the link level. LAN connections via public links carry the risk of data being read or
manipulated by unauthorised persons.
SlNA L2 Boxees reliably encrypt data without in any way impairing the functioning or
performance of the LAN applications. SlNA
L2 Boxes operate at transmission speeds
of up to 10 GBit/s.
High data throughput
Approval up to and incllldinn.
NATO RESTRICTED (NATI
RESTREINT UE (EU)
SlNA L2 Box S 1G
SlNA L2 Box S 10G
SlNA L2 Box S IOOM
SlNA One Way
SlNA One Way is a black/red gateway. It
consists of a data diode together with a
'black' and a 'red' server. The gateway
permits only unidirectional data transfer
from a public or low-level source network
(classified as 'black') to a higher-level destination network (classified as 'red'). The sys-
tern thus facilitates the transfer of public
data that has been sourced from the internet into a network classified as SECRET.
The uniquely secure functionality of the
SlNA One Way ensures that no information
from a 'red' destination network flows in the
Highly secure unidirectional data
m High data throughput
Approval up to and including:
Common Criteria EAL 7+ Certification
/ IGEHEIM (Germany)
Previous registries for classified information
only addressed the classic, paper-based
classified document world. This meant that,
while it was possible to create classified
documents by electronic means, it was
only possible to collect them in the form of
printouts because there were no approved
electronic registries for classified information. In addition, there was a lack of a consistent cryptographically supported implementation of the "need to know" principle in
classified information processing.
Until now, the market has not offered any
solutions that met the requirements of the
encryption instructions for classified information. This means that, for example,
approval and CO-signatory processes
(workflows) are almost all implemented
through organizational measures.
SlNA Workflow ne
The SlNA Workflow system solution ensures a secure, consistent and compliant
implementation of specific businesses processes involving classified information.
SlNA Workflow applies as soon as the data
is generated and stays with the process
right up to document destruction.
This modular system solution also supports
the import and export of classified data and
is prepared for the exchange of classified
data across all domains. SlNA Workflow is a
network of secure workplaces with SlNA
Workstations and scalable SlNA Workflow
servers with integrated electronic registry
for classified data.
"Working closely together, BSI and secunet have performed ourstanding development work on SlNA and created a highly successful
product series, As an official security partner of. Germany; we,toclls
our ongoing development activities stringently on the outstanding
requirements and current needs of our customer
secunet Security Networks AG
45128 Essen, Germany
Document Path: ["1335-secunet-security-networks-ag-brochure.pdf"]