Technical Insights > Network Visibility + Security

FIPS 140-2, Common Criteria and DoDIN APL for Keysight Packet Brokers

2020-08-13  |  5 min read 

Keysight has long been the source of truth in the world of electronic measurement with a history spanning decades back to when Hewlett and Packard got together in a garage in Palo Alto. That is why our acquisition of Ixia, with their decades of experience as the source of truth for networks and the traffic they carry makes so much sense.

Experience helping all the biggest network vendors test and validate their products in their hardware development labs, as well as experience with the biggest and most advanced service providers has given us a lot of practice providing insight and visibility into network traffic and performance at scale.

It is this need to be able to perform at scale that has given the enterprise visibility side of the house, with network packet brokers, bypass switches and taps, some fundamental architectural advantages over the competition. Remember the adage, do what you can and hardware and what you must in software? Easy to forget in these days of software defined everything, but it is still true. That is why the ongoing battles between AMD and Intel still matter. It is why GPUs from vendors like Nvidia are so crucial to not only gaming and graphical applications, but also compute heavy efforts like cryptocurrency mining. It is also why we love network visibility bakeoffs.

One of the approaches we take is using FPGAs – field programmable gate arrays, basically reprogrammable chips, to provide hardware acceleration in our network packet brokers. Just like a serious gamer would be hard pressed to game without a good graphics card in their PC, we find that the right hardware architecture, including that all important hardware acceleration, is key to real world performance in a network packet broker.

With that hardware acceleration, you no longer need worry about dropped packets. Indeed, you can have filters and features turned on and still process traffic at line rate. Our biggest competitor struggles with this due to a software architecture where the customer has to carefully pick and choose which filters and features to use and may end up having to daisy chain multiple appliances together to get everything to play nicely together.

That said, in some environments it is not enough to just have the best approach to network visibility, you also need to have the right certifications in place.

Enter FIPS 140-2 Level 1, Common Criterial (NDcPP v2.1) and the DoDIN APL

In addition to the normal work we have been doing with products like Threat Simulator (read more here ) we have also been working hard with the right partners on certifications. With Common Criterial, we worked with Jason Lawlor and his team at Lightship Security on NDcPP v2.1 (Collaborative Protection Profile for Network Devices). For FIPS 140-2 we partnered with Mark Minnoch and the team at KeyPair Consulting. Finally, Tachyon Dynamics, with Jeremy Duncan and his team, helped us with the DoDIN APL. These are all great teams who bring a ton of experience and knowledge to the table and were all instrumental to our overall goal of having the certifications that government needs so they can buy the gear they really want.

More information about our Government network visibility program is available here:

While we are on the topic of learning more, here’s a link to our 13 August press release on the topic.

Thanks for reading.