International. Axis Communications announced the support of the latest version of its AXIS OS 11.8 operating system with the IEEE 802.1AE Media Access Control Security security standard on more than 200 network devices, including cameras, intercoms and speakers.
This advancement allows such devices to automatically encrypt data in the second layer (data link) of Ethernet to strengthen communication in zero trust networks. In this way, Axis becomes the first manufacturer of physical security products to incorporate Media Access Control Security (MACsec).
With AXIS OS 11.8, MACsec is enabled by default (via EAP-TLS/Dynamic CAK mode) to protect the integrity of data transferred between Axis devices and MACsec-enabled Ethernet switches.
In addition, MACsec protects data communications and network protocols at the elementary level, increasing protection against low-level attacks such as denial-of-service, intrusion, man-in-the-middle data insertion, and interception.
The adoption of IEEE 802.1AE MACsec is in addition to Axis' implementation of the IEEE 802.1AR Secure Device Identity (DevID) standard, along with the IEEE 802.1X EAP-TLS network access control standard.
Out-of-the-box support for these three IEEE standards on Axis devices opens the door to automating end-to-end device onboarding, authentication, and encryption, allowing IT professionals to have standard mechanisms for integrating Axis devices into corporate networks.
"Customers have security features that are turned on by default and you don't have to configure anything," says Andre Bastert, Global Product Manager at AXIS OS. "They reduce the complexity of the installation and therefore save time and money. These security features are a great example of zero trust security that doesn't force customers to invest more time. With the increasing convergence of OT and IT, these standard security mechanisms are what IT professionals expect from intelligent IoT products, and Axis is responding to their needs as part of a well-established strategy to facilitate the secure, zero-touch integration of Axis network products into zero trust networks."
Features & Compatibility
MACsec allows you to exchange and verify encryption keys between a device and a switch with MACsec. The data in each Ethernet frame is then encrypted and decrypted in real-time using 128-bit AES-GCM, opening the door to fast and secure data transfer.
AXIS OS 11.8 supports two standard IEEE 802.1AE security modes: Dynamic CAK (EAP-TLS), which is automatic and enabled by default, and Static CAK (pre-shared key) for manual configuration.
The securely stored Axis Device ID [1], a secure IEEE 802.1AR-compliant device identity, is used for authentication on networks with MACsec [4,5] via IEEE 802.1X EAP-TLS port-based network access control (2). In the EAP-TLS session, MACsec keys are automatically exchanged to create a secure link [3] that protects all network traffic from the Axis device to a MACsec-enabled switch.
Secure onboarding of an Axis device can be done through IEEE 802.1X EAP-TLS port-based network access control, combined with the IEEE 802.1AR standard supported on the Axis device. IEEE 802.1AR is part of the Axis Edge Vault cybersecurity platform and enables automatic authentication on an IEEE 802.1X network.
Axis uploads unique IEEE 802.1AR compliant Initial Device Identifiers (IDevIDs) into a tamper-proof hardware cryptographic computing module integrated into Axis IoT products at the time of manufacture, with the goal of protecting IDevIDs from potential eavesdropping.
Easy onboarding is possible on any IEEE compliant network, for example with the HPE Aruba Networking ClearPass Policy Manager when an integration guide is available. For more technical information on IEEE 802.1AE MACsec on AXIS OS, you can refer to the AXIS OS Knowledge Base.