Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | adva-optical-networking |
View: | 284 times |
Download: | 5 times |
© 2014 ADVA Optical Networking. All rights reserved. Confidential.2
Security in Telco
"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default“
Edward Snowden - Guardian Interview, Moscow July 2014
© 2014 ADVA Optical Networking. All rights reserved. Confidential.3
Data Center Environment & Security
APPS APPS
© 2014 ADVA Optical Networking. All rights reserved. Confidential.4
Data Center Environment & SecurityPhysical Access to the Data Center
APPS APPS
© 2014 ADVA Optical Networking. All rights reserved. Confidential.5
Data Center Environment & SecurityHardware Security
APPS APPS
© 2014 ADVA Optical Networking. All rights reserved. Confidential.6
Data Center Environment & SecuritySoftware Security
APPS APPS
© 2014 ADVA Optical Networking. All rights reserved. Confidential.7
Data Center Environment & Security…and What About the Fiber Connection?
APPS APPS
© 2014 ADVA Optical Networking. All rights reserved. Confidential.8
Fiber Optic NetworksTapping Possibilities
Y-Bridge for service activities
Fiber Coupling device
Street cabinet
How to get access?
Whereto get access?
Splice boxes / cassettes (Outdoor / Inhouse)
There are multiple ways to access fiber
Protocol Analyzer
© 2014 ADVA Optical Networking. All rights reserved. Confidential.9
EncryptionWhat is Key?
• Highest level of security
• Speed - Low Latency
• 100% Throughput
• No Jitter
• Role Based Management (Multi Tenant Management for Carriers)
Encryption on the lowest possible layer
© 2014 ADVA Optical Networking. All rights reserved. Confidential.10
Encryption BasicsKey Lengths – Magnitude
Number of grains in 1 m3 sand from the beach 240
Number of atoms in a human body 292
Number of atoms in the earth 2165
Number of atoms in the sun 2189
Number of atoms in the Milky Way 2226
Number of atoms in the universe 2259
AES256
© 2014 ADVA Optical Networking. All rights reserved. Confidential.11
High Speed Encryption Modes
Cisco Overlay Transport Virtualization (OTV) +82 Bytes
MacSec +32 Bytes
Cisco TrustSec +40 Bytes
Bulk Mode (0 Bytes)
• Hop-by-Hop only
• Ethernet only
• Overhead creates latency and throughput issues
• Point-to-Point
• Protocol/ I/F agnostic (Ethernet, FC, IB, Sonet/SDH)
• Integrated Solution with lowest latency
• Huge overhead
• IP VPN Services
• Cisco Nexus
© 2014 ADVA Optical Networking. All rights reserved. Confidential.12
Encryption PerformanceComparison of Maximum Throughput
Framesize / Bytes
Thro
ughp
ut
© 2014 ADVA Optical Networking. All rights reserved. Confidential.13
Encryption Using G.709 / OTH Link Protocol
1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080
1
2
3
4
Column number
OTU/ ODUoverheadR
OW OPU
overheadEncryption
FECareaEncrypted Payload
OCH Overhead Och payload FEC data
Optical channel frame structure
5TCE link protocol
• Supports • OTU-2• OTU-2e • OTU-2f
AES 256 encryptedOPU2 payload
Automatickey exchangeusing DH
Key Exchange
© 2014 ADVA Optical Networking. All rights reserved. Confidential.14
FSP 3000 Encryption Highlights
Protection Building Blocks
• Authentication via initial authentication key to protect from “man in the middle” attacks
• AES256 encryption to offer maximum data security
• Diffie Hellman (DH) key exchange for secure encryption key generation
• New encryption key every 1min/10mins for additional security
• Key lifetime configurable
• Lowest latency (100ns) while providing 100% throughput
© 2014 ADVA Optical Networking. All rights reserved. Confidential.15
• Universal Enterprise Mux-/Transponder
• AES256 encryption
• Dynamic key exchange every 10 minutes
• 5x Any Multi-service clients
• Transparent / Framed mode
• SDH Network variant 5TCE-PCN-8GU+AES10GS
10G Muxponder with Encryption5TCE-PCN-10GU+AES10G
Network Interface
3x Client SFP
2x Client SFP/SFP+
Module
DWDM CWDMGrey
SFPSFPSFP
SFP (+)SFP (+)
TD
M
Prop. framingOTN-, Eth-PM
GCC0
5x GbE5x 1G/2G FC3 x 4G FC8G/10G FC5G IB/10G IBSTM-16/6410GbE
Client Module
ODU2 Pluggable SFP+
Network
OTU2
GFEC
STM-64
AES
Encr
yp
tion
CWDMGrey
Prop. framing
© 2014 ADVA Optical Networking. All rights reserved. Confidential.16
• Universal Enterprise Muxponder 100G
• AES256 encryption with 2048bit key
• Dynamic key exchange every 1 minute
• Up to 10 x any multi-service
• 10GE, FC8/10/16, 5G Infiniband
• 40GE/100GE by means of 4x/10x 10GbE via break out cable (SR4, LR4 and SR10)
100G Metro Muxponder with Encryption10TCE-PCN-16GU+AES100G
NetworkDWDM CFP
10x Client SFP+
Module
GM
PO
DU
Fle
x
Client Module
ODU4 DWDMCFP
Network
OTU4
config. EFECOTN PM
AES
Encr
yp
tion
CWDMGrey
SFP+SFP+SFP+SFP+SFP+SFP+SFP+SFP+SFP+SFP+
10x 10GbE (WAN/LAN)10x 8G FC8x 10G FC7x 16G FC10x STM-64/OC-19210x 5G IB
4x 28GDWDM (96ch C-band)
© 2014 ADVA Optical Networking. All rights reserved. Confidential.17
Layer 1 Encryption Solution Suite
AES 10G Encryption
AES 100G Encryption
40GbE
100GbE
FC 16G
FC 10G
10GbE
STM-64/OC-192
FC 8G
IB 5G
FC 4G
STM-16/OC-48
FC 2G
FC 1G
GbE
1G
– 5
G5
G –
15
G4
0G
10
0G
© 2014 ADVA Optical Networking. All rights reserved. Confidential.18
Encryption Management & Operations
© 2014 ADVA Optical Networking. All rights reserved. Confidential.19
Data Center NetworksEncryption Management for Private Networks
3rd
PartyNE
3rd
PartyNE
3rd
PartyNE
FSP NMServer
FSP EMor
LCT/CLI
FSP NMClients
LAN
Scenario 1 - User of encryption is the operator of equipment
DCN
Crypto Managerrunning on FSP NM
© 2014 ADVA Optical Networking. All rights reserved. Confidential.20
Data Center NetworksEncryption Management for Private Networks
3rd
PartyNE
3rd
PartyNE
3rd
PartyNE
Scenario 2 - Encryption user does not own the network
FSP NMServer
FSP NMClients
LAN
DCNGUI Serverrunning NM client apps
Customer A
WWW.
Crypto Managerrunning on GUI Server
© 2014 ADVA Optical Networking. All rights reserved. Confidential.21
Crypto ManagementManagement Levels Provided
• Operational management• Deals with all operational aspects (FCAPS)• User access is handled on the NCU
• Security management• Control of all security relevant activities• Separated from operational management• Access control handling on the AES Muxponder not on the NCU• Security relevant activities are performed using the security
relevant credentials• ROOT users have no access to security management
© 2014 ADVA Optical Networking. All rights reserved. Confidential.23
5TCE-PCN+AES10G5TCE-PCN+AES10G
Site B
LAN
Site A
LAN
n*1GbE,10GbE
STM-64c OTU-2e
STM-64c OTU-2e
OTN NetworkCarrier Managed Service
Encryption over OTN Networks 1GbE & 10GbE Services
n*1GbE,10GbE
FSP Network &Crypto Manager
© 2014 ADVA Optical Networking. All rights reserved. Confidential.24
10TCE-PCN-16GU+AES100G10TCE-PCN-16GU+AES100G
Site B
LAN
Site A
LAN
Multi rate Multi rate
GCC2 used for key exchange & other functionsSetup via ECC (GCC0) or an external DCN connection
Encryption over OTN Networks 10GbE, 40GbE, 100GbE Services
LR10R OTU-4 111,809 Gb/s
LR10R OTU-4 111,809 Gb/s
FSP Network &Crypto Manager
OTN NetworkCarrier Managed Service
© 2014 ADVA Optical Networking. All rights reserved. Confidential.25
Layer 1 Encryption in Operation
© 2014 ADVA Optical Networking. All rights reserved. Confidential.26
Where ADVA-Encryption is in Operation
Department of Business Innovation & Skills: 2013 Information Security Breaches Survey www.gov.uk/bis
ADVA sells ~10% of layer 1 encryption into Government> 150 links
ADVA sells ~62% of layer 1 encryption into Finance> 1.000 links
ADVA sells ~10% of layer 1 encryption into HealthCare> 150 links ADVA sells ~16% of layer 1
encryption into Other large industry> 250 links
1.600 x 10G encrypted links in operation
• 62% Finance (50 customers)• 10% Government (13 customers)• 10% Healthcare (7 customers)• 10% Large Industry (14 customers) • 4% Cloud SPs (9 customers) • 4% other industry • 2% Utilities (3 customers)
ADVA sells ~2% of layer 1 encryption into Utilities> 50 links
Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.