International. Axis Communications announced the support of the latest version of its AXIS OS 11.8 operating system for the IEEE 802.1AE Media Access Control Security standard on more than 200 network devices, including cameras, intercoms and speakers.
This advancement allows such devices to automatically encrypt data at the second layer (data link) of Ethernet to strengthen communication in zero trust networks. In this way, Axis becomes the first manufacturer of physical security products to incorporate Media Access Control Security (MACsec).
With AXIS OS 11.8, MACsec is enabled by default (via EAP-TLS/Dynamic CAK mode) to protect the integrity of data transferred between Axis devices and MACsec-enabled Ethernet switches.
Additionally, MACsec protects data communications and network protocols at the elementary level, providing increased protection against low-level attacks such as denial of service, intrusion, man-in-the-middle data insertion, and interception.
The adoption of IEEE 802.1AE MACsec adds to Axis' implementation of the IEEE 802.1AR secure device identity (DevID) standard, along with the IEEE 802.1X EAP-TLS network access control standard.
The out-of-the-box support of these three IEEE standards on Axis devices opens the door to automating device onboarding, authentication and end-to-end encryption, giving IT professionals standard mechanisms to integrate Axis devices on corporate networks.
“Customers have security features that are enabled by default and nothing needs to be configured,” said Andre Bastert, Global Product Manager, AXIS OS. “They reduce installation complexity and therefore save time and money. These security features are a great example of zero trust security that doesn't force customers to invest more time. With an increasing convergence of OT (Operational Technology) and IT (Information Technology), these standard security mechanisms are what IT professionals expect from intelligent IoT products, and at Axis we are responding to their needs with a consolidated strategy to facilitate the secure and zero-intervention integration of Axis networking products into zero trust networks.”
Features and compatibility
MACsec allows encryption keys to be exchanged and verified between a device and a switch with MACsec. The data in each Ethernet frame is then encrypted and decrypted in real time using 128-bit AES-GCM, opening the door to fast and secure data transfer.
AXIS OS 11.8 supports two standard IEEE 802.1AE security modes: Dynamic CAK (EAP-TLS), which is automatic and enabled by default, and Static CAK (Pre-Shared Key) for manual configuration.
The securely stored Axis device ID [1], a secure device identity compliant with IEEE 802.1AR, is used for authentication on networks with MACsec [4,5] through IEEE port-based network access control 802.1X EAP-TLS (2). In the EAP-TLS session, MACsec keys are automatically exchanged to create a secure link [3] that protects all network traffic from the Axis device to a MACsec-enabled switch.
Secure onboarding of an Axis device can be accomplished through IEEE 802.1X EAP-TLS port-based network access control, combined with the IEEE 802.1AR standard supported on the Axis device. IEEE 802.1AR is part of the Axis Edge Vault cybersecurity platform and enables automatic authentication on an IEEE 802.1X network.
Axis loads unique IEEE 802.1AR compliant Initial Device Identifiers (IDevIDs) into a tamper-proof hardware cryptographic computing module built into Axis IoT products at the time of manufacture, to protect IDevIDs from possible spies.
Easy onboarding is possible on any IEEE standards-compliant network, for example with HPE Aruba Networking's ClearPass Policy Manager when an integration guide is available. For more technical information on MACsec IEEE 802.1AE on AXIS OS, see the AXIS OS knowledge base.
Leave your comment