4
© Cube Optics AG 2014 - D-5126 Rev.A.1 >> D-5126 Fortifying Network with Layer 2 Encryption “Tapping a fiber-optic cable without being detected, and making sense of the information you collect, isn‘t trivial but has certainly been done by intelligence agencies for the past seven or eight years. These days, it is within the range of a well-funded hacker … our advice to enterprises is to use encryption over all network connections where the physical security or access to the network, whether copper or fiber or wireless, cannot be secured” - John Pescatore, former VP and Distinguished Analyst at Gartner and former NSA analyst. Introduction In this omni-connect age, the valuables are not locked up in the Swiss bank, but are traversing through the communication networks. Information is perhaps the only asset that can bring about the rise and fall of a person, company, industry and even a country. This is the reason why billions of dollars have been poured to secure the confidential data that is vulnerable to breach. The convergence of communication infrastructure means that fiber optic network is replacing traditional point to point connections and used for all the forms of communication. All the localized traffic like video, voice and data from financial institutions to health, insurance and law firms to data centers is linked to other locations via public fiber networks. Optical fiber was considered a secure transmission media; however developments from last decade have proved it otherwise. The continuous risk of high-tech attacks has emphasized the need to protect the information not just by deploying simple firewalls, antiviruses and intrusion detection/prevention systems, but also by fortifying the network infrastructure to secure the traveling data through encryption. Encryption is the process of transforming simple data into incomprehensible cipher-text via the use of encryption key. Layer 2 encryption (or link encryption) encrypts information at the data link level of the OSI model as it is transferred between two sites as shown in Figure 1. Layer 2 encryption ensures the protection of information during transport and is especially beneficial when the security of the transmission line is uncertain. Stressing its vulnerability to attack, this paper Figure 1: Point to point Layer 2 encryption and decryption

D-5126 Cypher Cube Fortifying Network with Layer 2 Encryption

Embed Size (px)

Citation preview

Page 1: D-5126 Cypher Cube Fortifying Network with Layer 2 Encryption

© Cube Optics AG 2014 - D-5126 Rev.A.1

>> D-5126 Fortifying Network with Layer 2 Encryption

“Tapping a fiber-optic cable without being detected, and making sense of the information you collect, isn‘t trivial but has certainly been done by intelligence agencies for the past seven or eight years. These days, it is within the range of a well-funded hacker … our advice to enterprises is to use encryption over all network connections where the physical security or access to the network, whether copper or fiber or wireless, cannot be secured” - John Pescatore, former VP and Distinguished Analyst at Gartner and former NSA analyst.

Introduction

In this omni-connect age, the valuables are not locked up in the Swiss bank, but are traversing through the communication networks. Information is perhaps the only asset that can bring about the rise and fall of a person, company, industry and even a country. This is the reason why billions of dollars have been poured to secure the confidential data that is vulnerable to breach. The convergence of communication infrastructure means that fiber optic network is replacing traditional point to point connections and used for all the forms of communication. All the localized traffic like video, voice and data from financial institutions to health, insurance and law firms to data centers is linked to other locations via public fiber networks. Optical fiber was

considered a secure transmission media; however developments from last decade have proved it otherwise. The continuous risk of high-tech attacks has emphasized the need to protect the information not just by deploying simple firewalls, antiviruses and intrusion detection/prevention systems, but also by fortifying the network infrastructure to secure the traveling data through encryption.

Encryption is the process of transforming simple data into incomprehensible cipher-text via the use of encryption key. Layer 2 encryption (or link encryption) encrypts information at the data link level of the OSI model as it is transferred between two sites as shown in Figure 1. Layer 2 encryption ensures the protection of information during transport and is especially beneficial when the security of the transmission line is uncertain.

Stressing its vulnerability to attack, this paper

Figure 1: Point to point Layer 2 encryption and decryption

Page 2: D-5126 Cypher Cube Fortifying Network with Layer 2 Encryption

2

outlines different ways the optical fiber can be hacked and presents the option of information security via Layer 2 encryption as a simple, reliable and cost-effective solution to the current burning issue of data theft and misuse.

How is the optical fiber tapped?

The myth of hack-proof optical fiber transmission media has been debunked and according to recent Cisco findings around 50,000 network intrusions are detected every day1. It is however not so easy to comprehend how the fiber can be tapped just like its copper counterpart. For a hacker with a malicious or simply eavesdropping intent, the first step is to find a point of physical access to the targeted optical fiber which can be easily accomplished by gaining access to the fiber at an exposed location between the two connecting sites. Then extracting the information out of a fiber without service disruption is only a question of owning the commercially available devices.

a) Misusing the carrier maintenance points

Most of the service providers have pre-installed splice points or Y-bridges on their networks for monitoring and maintaining purposes. Tapping through these points using couplers would be the simplest way of getting hold of the signal without service disruption

1 Cisco 2014 Annual Security Report

and without generating any suspicion. These points provide a small fraction of the signal which would be more than enough for capturing all of the information.

b) Misusing the fiber bending property

Light propagates within the core as long as it follows the condition of total internal reflection. As illustrated in Figure 2, by bending the fiber, this condition can be violated and a small portion of light would leak out of the core2. The commercially available clip-on coupler can be clamped to the fiber at this point and the signal radiating out of the core can be directed to another fiber. This device is used by the carriers to monitor link performance and can be easy used by a hacker without any link interruption.

Once the light signal has been retrieved, the highly sensitive data is captured using a cheap photo detector. Someone with a good knowledge of fiber could further jam the signal and even corrupt the data.

Encryption at different layers

Once a working fiber link has been set, no more time or effort is spent on actively monitoring the network performance unless there is a service disruption. Small fluctuations that occur due to previously stated methods of

2 Furdek, Skorin-Kapov, Physical-Layer Attacks in Transparent Optical Networks

Figure 2: Bending the fiber causes light to leak outside the fiber core2

Page 3: D-5126 Cypher Cube Fortifying Network with Layer 2 Encryption

3

hacking might be overlooked as effects from environmental changes. In reality, the only definite method for protecting the data on the move is through encryption.

Communication between two end users in a network is based on a standard layered reference structure as depicted in Figure 3, called the OSI model. Each layer has an independent task and provides services to the layer above it. The lowest layer is the physical layer that transports bits via the physical media like radio waves, copper wires and glass fibers. The highest layer (7th) is the application layer that provides the interface to the user or represents applications like voice and file transfers, database access, email, etc. The data can be encrypted at different layers of the model. End-to-end encryption of the content on the higher layers is impractical because the complicated encryption management for different applications would generate more user based errors and would simply be too time consuming. The ideal approach is to perform the encryption on a much lower layer.

Commonly, this is applied at the middle (4th) so called "Transport Layer", in form of the Secure Sockets Layer (SSL) encryption for Internet which is widely used for online banking. On the 3rd "Network Layer", an Internet Protocol Security Encryption (IPSec) is used. On the 2nd ‘Data Link Layer’, the Layer 2 encryption is used which is the recommended approach by the metro Ethernet forum (MEF).

While IPSec and SSL are claimed to be highly secure, the high latency on the data transmission limits their usage to non-time-critical, low bandwidth communications, such as online payments and data transfer. When it comes to video or voice streaming or real time high speed communication, the excess encryption overhead caused by tunneling as shown in Figure 4 (upper part) causes the overall communication to be undesirably slow.

A study by the Rochester Institute of Technology (RIT) showed that Layer 2 encryption technologies provide superior throughput and far lower latency than IPSec as

Figure 3: The seven layers of OSI Model

Figure 4: Comparison of IPsec encrypted packets, transported via the underlying Ethernet structure versus Layer 2 encrypted data with all headers encrypted except

MAC header and CRC checksum,

Page 4: D-5126 Cypher Cube Fortifying Network with Layer 2 Encryption

4

shown in Figure 5. Thus, the overhead due to IPSec uses up the valuable network bandwidth and causes reduction in throughput and the communication cannot achieve full line speed.

Layer 2 encryption and its advantages

Layer 2 encryption is often referred to as a “bump in the wire” technology. The refers to its simplicity, maintainability and performance benefits of layer 2 solutions that are designed to be transparent to end users with little or no performance impact on network throughput.

Layer 2 also intrinsically covers encryption for any data that is send over the infrastructure and prevents tracking of sender to receiver information (down to user or down to IP address). This technology furthermore, adds the lowest possible latency to the data transmission and therefore, enables highest bandwidth data throughput which is necessary for many of today's applications. Layer 2 encryption is far more efficient than IPsec, with little to no impact on network performance. There is no package overhead here to increase latency.

Additionally it is the easiest to implement encryption technology since the key management is also automated by the end-point physical data transport systems. Layer 2 encryption can be implemented for point-to-point networks as well as point-to-multipoint or multipoint-to-multipoint architectures for data rates of 1 Gbps to multiple 10Gbps.

With robust cryptography using Advanced Encryption Standard (AES) with 256-bit key lengths, the Layer 2 encryption provides a strongest protection to the network and also control independent of carrier service to the customer. The key benefits of Layer 2 encryption are listed below.

• Low protocol overhead resulting in low latency (compared to IPSec the delay is measured in milliseconds instead of microseconds).

• Lowest cost of ownership with better bandwidth efficiency (up to 50%) with enterprise scalability.

• No degradation in network and application performance with little or no configuration and maintenance once installed.

• Operates at wire speed up to 10Gbps and transparent to media (voice, video etc).

Layer 2 encryption applications

Since the Layer 2 encryption has a very low latency, it is highly suitable for voice, video and real time communications. Typical applications of Layer 2 encryption include,

• Data center connectivity to multiple branch sites.

• Financial institutions, banking industry and federal governments at different sites.

• Disaster recovery data replication.

• When reliable and secure voice and video transmission is a necessity.

Conclusion

Layer 2 encryption is a reliable, affordable and simple approach to ensure the confidentiality and integrity of the data in transit over the optical fiber networks without sacrificing the performance. It is an enabling technology with high throughput and low latency that can be performed at maximum transmission rate making it applicable to real time communications.

Figure 5: Throughput versus packet size for Layer 2 and Layer 3