Upload
mcclaink06
View
21
Download
3
Tags:
Embed Size (px)
Citation preview
Layer 1 Encryption in WDM Transport Systems
Dr. Henning Hinderthr, PLM
2014 ADVA Optical Networking. All rights reserved. Confidential. 2
Security in Telco
"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default
Edward Snowden - Guardian Interview, Moscow July 2014
http://www.theguardian.com/technology/internet
2014 ADVA Optical Networking. All rights reserved. Confidential. 3
Data Center Environment & Security
APPS APPS
2014 ADVA Optical Networking. All rights reserved. Confidential. 4
Data Center Environment & Security Physical Access to the Data Center
APPS APPS
2014 ADVA Optical Networking. All rights reserved. Confidential. 5
Data Center Environment & Security Hardware Security
APPS APPS
2014 ADVA Optical Networking. All rights reserved. Confidential. 6
Data Center Environment & Security Software Security
APPS APPS
2014 ADVA Optical Networking. All rights reserved. Confidential. 7
Data Center Environment & Security and what about the Fiber Connection?
APPS APPS
2014 ADVA Optical Networking. All rights reserved. Confidential. 8
Fiber Optic Networks Tapping Possibilities
Y-Bridge for service activities
Fiber Coupling device
There are multiple ways to access fiber
Street cabinet
How to get access?
Where to get access?
Splice boxes / cassettes (Outdoor / Inhouse)
There are multiple ways to access fiber
Protocol Analyzer
2014 ADVA Optical Networking. All rights reserved. Confidential. 9
Encryption What is Key?
Highest level of security
Speed - Low Latency
100% Throughput
No Jitter
Role Based Management (Multi Tenant Management for Carriers)
Encryption on the lowest possible layer
2014 ADVA Optical Networking. All rights reserved. Confidential. 10
Encryption Basics Key Lengths Magnitude
Number of grains in 1 m3 sand from the beach 240
Number of atoms in a human body 292
Number of atoms in the earth 2165
Number of atoms in the sun 2189
Number of atoms in the Milky Way 2226
Number of atoms in the universe 2259
AES 256
2014 ADVA Optical Networking. All rights reserved. Confidential. 11
High Speed Encryption Modes
Cisco Overlay Transport Virtualization (OTV) +82 Bytes
MacSec +32 Bytes
Cisco TrustSec +40 Bytes
Bulk Mode (0 Bytes)
Hop-by-Hop only
Ethernet only
Overhead creates latency and throughput issues
Point-to-Point
Protocol/ I/F agnostic (Ethernet, FC, IB, Sonet/SDH)
Integrated Solution with lowest latency
Huge overhead
IP VPN Services
Cisco Nexus
2014 ADVA Optical Networking. All rights reserved. Confidential. 12
Encryption Performance Comparison of Maximum Throughput
Framesize / Bytes
Thro
ugh
pu
t
2014 ADVA Optical Networking. All rights reserved. Confidential. 13
Encryption using G.709 / OTH Link Protocol
1 .. 14 15 . 16 17 . 3824 3825 . 4080
1
2
3
4
Column number
OTU/ODU
overheadRO
W OPUoverhead
EncryptionFEC
areaEncrypted Payload
OCH Overhead Och payload FEC data
Optical channel frame structure
5TCE link protocol
Supports
OTU-2
OTU-2e
OTU-2f
AES 256 encrypted OPU2 payload
Automatic key exchange using DH
Key Exchange
2014 ADVA Optical Networking. All rights reserved. Confidential. 14
FSP 3000 Encryption Highlights
Protection Building Blocks
Authentication via initial authentication key to protect from man in the middle attacks
AES256 encryption to offer maximum data security
Diffie Hellman (DH) key exchange for secure encryption key generation
New encryption key every 1min/10mins for additional security
Key lifetime configurable
Lowest latency (100ns) while providing 100% throughput
http://moss/pub/marketing/3D Product Pictures/FSP_3000_SH7HU--NoBackground.pnghttp://moss/pub/marketing/3D Product Pictures/FSP_3000_SH7HU--NoBackground.png
2014 ADVA Optical Networking. All rights reserved. Confidential. 15
Universal Enterprise Mux-/Transponder
AES256 encryption
Dynamic key exchange every 10 minutes
5x Any Multi-service clients
Transparent / Framed mode
SDH Network variant 5TCE-PCN-8GU+AES10GS
10G Muxponder with Encryption 5TCE-PCN-10GU+AES10G
Network Interface
3x Client SFP
2x Client SFP/SFP+
Module
DWDM CWDM Grey
SFP
SFP
SFP
SFP (+)
SFP (+)
TD
M
Prop. framing OTN-, Eth-PM
GCC0
5x GbE 5x 1G/2G FC 3 x 4G FC 8G/10G FC 5G IB/10G IB STM-16/64 10GbE
Client Module
ODU2 Pluggable
SFP+
Network
OTU2
GFEC
STM-64
AES E
ncry
ption
CWDM Grey
Prop. framing
2014 ADVA Optical Networking. All rights reserved. Confidential. 16
Universal Enterprise Muxponder 100G
AES256 encryption with 2048bit key
Dynamic key exchange every 1 minute
Up to 10 x any multi-service
10GE, FC8/10/16, 5G Infiniband
40GE/100GE by means of 4x/10x 10GbE via break out cable (SR4, LR4 and SR10)
100G Metro Muxponder with Encryption 10TCE-PCN-16GU+AES100G
Network DWDM CFP
10x Client SFP+
Module
GM
P
OD
UFle
x
Client Module
ODU4 DWDM
CFP
Network
OTU4
config. EFEC OTN PM
AES E
ncry
ption
CWDM Grey
SFP+
SFP+
SFP+
SFP+
SFP+
SFP+
SFP+
SFP+
SFP+
SFP+
10x 10GbE (WAN/LAN) 10x 8G FC 8x 10G FC 7x 16G FC 10x STM-64/OC-192 10x 5G IB
4x 28G DWDM (96ch C-band)
2014 ADVA Optical Networking. All rights reserved. Confidential. 17
Layer 1 Encryption Solution Suite
AES 10G Encryption
AES 100G Encryption
40GbE
100GbE
FC 16G FC 10G
10GbE
STM-64/OC-192
FC 8G
IB 5G
FC 4G
STM-16/OC-48
FC 2G
FC 1G
GbE
1G
5
G
5G
1
5G
40G
100G
2014 ADVA Optical Networking. All rights reserved. Confidential. 18
Encryption Management & Operations
2014 ADVA Optical Networking. All rights reserved. Confidential. 19
Data Center Networks Encryption Management for Private Networks
3rd
Party NE
3rd
Party NE
3rd
Party NE
FSP NM Server
FSP EM or
LCT/CLI
FSP NM Clients
LAN
Scenario 1 - User of encryption is the operator of equipment
DCN
Crypto Manager running on FSP NM
2014 ADVA Optical Networking. All rights reserved. Confidential. 20
Data Center Networks Encryption Management for Private Networks
3rd
Party NE
3rd
Party NE
3rd
Party NE
Scenario 2 - Encryption user does not own the network
FSP NM Server
FSP NM Clients
LAN
DCN GUI Server running NM client apps
Customer A
WWW.
Crypto Manager running on GUI Server
2014 ADVA Optical Networking. All rights reserved. Confidential. 21
Crypto Management Management Levels Provided
Operational management
Deals with all operational aspects (FCAPS)
User access is handled on the NCU
Security management
Control of all security relevant activities
Separated from operational management
Access control handling on the AES Muxponder not on the NCU
Security relevant activities are performed using the security relevant credentials
ROOT users have no access to security management
2014 ADVA Optical Networking. All rights reserved. Confidential. 22
Encryption over OTN Networks
2014 ADVA Optical Networking. All rights reserved. Confidential. 23
5TCE-PCN+AES10G 5TCE-PCN+AES10G
Site B
LAN
Site A
LAN
n*1GbE, 10GbE
STM-64c OTU-2e
STM-64c OTU-2e
OTN Network Carrier Managed Service
Encryption over OTN Networks 1GbE & 10GbE Services
n*1GbE, 10GbE
FSP Network & Crypto Manager
2014 ADVA Optical Networking. All rights reserved. Confidential. 24
10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G
Site B
LAN
Site A
LAN
Multi rate Multi rate
GCC2 used for key exchange & other functions Setup via ECC (GCC0) or an external DCN connection
Encryption over OTN Networks 10GbE, 40GbE, 100GbE Services
LR10R OTU-4 111,809 Gb/s
LR10R OTU-4 111,809 Gb/s
FSP Network & Crypto Manager
OTN Network Carrier Managed Service
2014 ADVA Optical Networking. All rights reserved. Confidential. 25
Layer 1 Encryption In Operation
2014 ADVA Optical Networking. All rights reserved. Confidential. 26
Where ADVA-Encryption is in Operation
Department of Business Innovation & Skills: 2013 Information Security Breaches Survey www.gov.uk/bis
ADVA sells ~10% of layer 1 encryption into Government
> 150 links
ADVA sells ~62% of layer 1 encryption into Finance
> 1.000 links
ADVA sells ~10% of layer 1 encryption into HealthCare
> 150 links ADVA sells ~16% of layer 1 encryption into Other large industry
> 250 links
1.600 x 10G encrypted links in operation
62% Finance (50 customers) 10% Government (13 customers) 10% Healthcare (7 customers) 10% Large Industry (14 customers) 4% Cloud SPs (9 customers) 4% other industry 2% Utilities (3 customers)
ADVA sells ~2% of layer 1 encryption into Utilities
> 50 links
http://www.gov.uk/bis
Thank You
IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright for the entire content of this presentation: ADVA Optical Networking.
http://www.linkedin.com/company/adva-optical-networkinghttp://twitter.com/ADVAOpticalNewshttp://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wallhttp://www.youtube.com/user/ADVAOpticalhttp://advaopticalnews.tumblr.com/http://www.slideshare.net/ADVAOpticalNetworking