This page contains a Flash digital edition of a book.
FEATURE NETWORK SECURITY


Figure 1: Multilayer encryption OSI layer 5-7 4 3


Application presentation session


Transport Network


IPsec 2 Datalink MAC 1


Physical DWDM


SSL encrypted Payload encrypted Payload encrypted Payload TCP encrypted L1OE Payload TCP


IP/MPL & header


MAC header


ns IP/MPL


MAC header


µs TCP IP/MPL


Latency ms


@fibresystemsmag | www.fibre-systems.com


Principles of cyber security While encryption protects data from interception, cyber security applications protect against hackers who want to infiltrate or disrupt our systems, oſten pretending to be a legitimate user. Tese generally operate at choke points as packets cross from a public to a private domain. At a basic level, cyber security can be thought


financial transactions, they use Secure Sockets Layer (SSL) at the application layer (at the top of the OSI protcol stack). You know this is being applied when a little green icon appears in the browser address bar. Another popular place to apply encryption is in routers at the network layer (Layer 3 in the OSI model) using Internet Protocol Security (IPsec). However, encryption at higher layers is not


Enterprise IT admin


always enough to stop the determined hacker. Te shiſt to cloud computing has transferred attention to the optical fibres that underlie the high-speed communications from businesses to data centres, and between the data centres themselves. Tese fibres constitute very long unprotected paths and can be tapped at any point using clip-on devices that cost less than $100. Te taps divert a tiny, undetectable percentage of the fibre’s light, but still enough to give the hacker access to all the information on the fibre. Te hacker can even benefit if a message is encrypted at the application or IP layer, because the address headers at any particular level cannot be encrypted, as these are needed to send a message to its next stop. To a hacker, simply understanding which parties are communicating with each other, and with what frequency and volume, can assist them in breaking into a system in other ways. Te solution is to employ Layer 1 optical


P-OTS Node A


Enterprise offi ce


private key Node A


encryption (L1OE), which protects all the information on an optical fibre from tapping attacks, including the address headers in higher layers. L1OE can be applied to popular 10G and 100G links used for data centre communication, and it is protocol agnostic; in other words, it is totally indifferent to whatever services are being transported on the fibre, whether Ethernet, Fibre Channel, or InfiniBand. A huge advantage of L1OE is that it operates at wire speed, adding


7 7 6 All log info 5 5 Classifi ed network 28 FIBRE SYSTEMS Issue 11 • Spring 2016 6


virtually no latency to the transmission. Tis is increasingly important for supporting emerging edge computing applications that are purposefully deployed closed to the users to minimise delays. Figure 2 illustrates the key ingredients in a


Network Key Manager used by enterprise customer to administer encryption of, and monitor, their links


OSI layer


Nodes A & B public keys


Encrypted optical link using AES-256 with GCM extensions


2


Intercepted data is indecipherable


well-constructed L1OE implementation. A network key manager is operated by the enterprise customer or data centre operator and performs two key tasks. It authenticates the identities of the communicating optical nodes using X.509 certificates, and distributes public keys to the nodes to enable them to create a unique session key. Tis is then used to encrypt the information flowing across the optical link, typically using AES-256. Tis can be made even more secure by adding GCM (Galois Counter Mode) extensions that ensure no two messages are encrypted in the same way, and can also indicate if a hacker is attempting to tap the fibre.


5-7 4 3


Application presentation session


Transport Network


IPsec Datalink P-OTS MAC Node B 1 private key


Physical DWDM


Node B


Cloud-based applications


L1OE Payload SSL Payload encrypted Payload encrypted Payload encrypted


of as a passport control officer, and packets as those long lines of people snaking back and forth to enter the country. In the same way that a passport control officer examines the passport and information card you fill out, cyber security examines each and every packet attempting to enter the private domain. Sometimes only the header with address information is examined but, depending on the application and circumstance, it may also inspect the message payload. Cyber security applications can then take various actions, including simply allowing or rejecting entry, or perhaps allowing entry but only aſter flagging for further investigation because there was something odd and it may be part of a long term infiltration pattern. Starting with the cyber security basics, a


range of powerful and complementary protection applications can be created. Tese are depicted in Figure 3 and summarised in the table. Enterprises and data centre operators can pick and choose from among these applications, customising cyber security to suit their business needs.


TCP IP/MPL


Latency ms


TCP encrypted IP/MPL


MAC header


µs


NFV implementation Until recently, network customers have been purchasing assorted services, each running on a dedicated appliance connected to the organisation’s network. Operators recognised


TCP


IP/MPL & header


MAC header


ns Figure 2: A well-constructed Layer 1 optical encryption system Enterprise IT admin


Network Key Manager used by enterprise customer to administer encryption of, and monitor, their links


Real-time viewer such as ECI Telecom’s LightSec-V


Real-time unifi ed dashboard


All traffi c info 4


Enterprise offi ce


3 2 4 1 3 2 private key Node A Public domain private key Node B


1 2 3 4 5 6 7 8


L1 – L3 encryption DDOS protection Secure site gateway (UTM) Strong authentication Unidirectional secure gateway Network anomaly detection Big data analytics Real-time dashboard


P-OTS 1


1 2 3 4 5 6 7 8


Node A


Nodes A & B public keys


Encrypted optical link using AES-256 with GCM extensions


P-OTS


Intercepted data is indecipherable


Node B


Cloud-based applications


Increasing information encrypted


Increasing information encrypted


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44