PACKETLIGHTPACKETLIGHT ENCRYPTIONENCRYPTION
SOLUTIONSOLUTION
PACKETLIGHTPACKETLIGHT ENCRYPTIONENCRYPTION
SOLUTIONSOLUTION
PL-1000TE CryptoGbE,10G, 40G Eth,
4G/8G/10/16G FC
• It is not so difficult to tap fiber optics, ,many “youtubes” videos show how simple it is-
https://www.youtube.com/watch?v=2fP-j4XCuFs• Government have initiated new sets of laws and
guideline to protect essential and financial infrastructures
• Hackers and cyber attacks are posing strategic treats to any enterprise
Encryption Essential and Awareness Is Growing Encryption Essential and Awareness Is Growing
2
• Encryption on all the data passing over the fiber, no room for omissions
• Transparent, maintaining full bandwidth of the traffic • Beneficial for low latency applications• Covering the physical fiber tapping detection• Interface to existing DWDM infrastructure and Telco
OTN networks • No need to change or upgrade the Layer-2/3
switch/routers
Benefit of Layer-1 EncryptionBenefit of Layer-1 Encryption
3
Fiber Security Layers Fiber Security Layers
4
Physical LayerPhysical Layer
Data PlaneData Plane
Management PlaneManagement Plane
Layer-1 Transparent full bandwidth Encryption GCM-AES-256 (Advanced Encryption Standard) Diffie Hellman Key exchange Authentication using SHA-256
SNMPv3 Radius Management Firewall HTTPS Secure Shell
Optical power monitoring per service Automatic detection of fiber tapping
PL-1000TE-Crypto FeaturesPL-1000TE-Crypto Features
5
• 8 full Bi-Directional 3R Multi type/rate Transponders• 8 independent encryption AES-256 machines and keys exchange per service• Fully compliant with FIPS 140-2 Level 2 and NSA Suite B• Flexible, user configurable Multirate Interfaces support for:
• Data: GbE, 10GbE, 40GbE LAN• Storage: 4G/8G/10G/16G FC
• Performance Monitoring on all interfaces• Data flow transparent, Ultra Low latency • Optional 1+1 optical facility protection using Optical Switch• Integrated passive optics (Mux/DeMux), optical amplifiers (EDFAs)• Pay as you grow architecture (Pluggable SFP+s)• Dual redundant pluggable AC/DC PSU and FAN unit
“1U Data and Storage Layer-1 Encryption solution”
PL-1000TE-Crypto Encryption Solution DescriptionPL-1000TE-Crypto Encryption Solution Description• Support 8 independent bi-directional encryption/decryption machines• Each encryption/decryption machine can be configured to a different service
rate/type and has its own key exchange and pre shared secret• Conforms with known Encryption standards :
GCM-AES-256 (Advanced Encryption Standard) Diffie Hellman Key exchange FIPS 140-2 Security Level 2 Suite B CNSSP-15 Cryptography
• Encryption supports: Confidentiality Data integrity Authentication
• Support user configurable services: – 1G/10G/40G Ethernet– 4G/8G/10G/16G FC
• Low latency < 20 µsec for encrypted 10G ETH• Support secured key distribution• 8 optical transponder, optional Mux/DeMux, optical amp and OSW
Encryption Mechanism PL-1000TEEncryption Mechanism PL-1000TE
6
PL-1000TE Encryption FunctionalityPL-1000TE Encryption Functionality
7
Requirement Function Algorithm FIPS 140-2 Suite B
Cryptographic Algorithm
Encryption Algorithm
GCM-AES-256 FIPS 197 and SP800-38D Yes
Key Management Key Establishment Elliptic Curve Cryptography Cofactor Diffie-
Hellman (ECC CDH) with a Pre-Shared Secret SP 800-56A Yes
Key Message Authentication
Message digest with a Pre Shared Key Secure Hash Algorithm 2 (SHA-256) FIPS 180-4 Yes
Self Tests Integrity testsOn power up check digestion for software encryption modules and run test vectors with known answers (KAT)
Yes N/A
Random Number Generator
Used for keys generation
True Random (TRNG) with FDK-100, and Deterministic random bit generator (DRBG) SP800-90 N/A
Access Control Authentication Role Based, User/Password authentication Yes N/A
Physical security Tamper evidence Yes
EMI/EMC FCC Part 15 Class A Yes N/A
Services Supported Services GbE, 10GbE, 40GbE 4G-FC, 8G-FC, 10G-FC, 16G-FC N/A N/A
• The mapping of the encrypted services is done according to the following table:
• The bit rate of the encrypted 64b/66b service is the same as the client rate• The Diffie-Hellman key exchange is done in-band to the encrypted signal
Mapping of the Encrypted ServicesMapping of the Encrypted Services
8
Service Client Rate Uplink Rate Encrypted Signal Rate
Encrypted 10GbE 10.3125G 10.3125G 10GbE
Encrypted 1GbE 1.25G 2.125G 2GFC
Encrypted 4G FC 4.25G 10.3125G 10GbE
Encrypted 8G FC 8.5G 10.3125G 10GbE
Encrypted 10G FC 10.51875G 10.51875G 10GFC
Encrypted 16G FC 14.025G 14.025G 16GFC
Encrypted 40GbE 4x 10.3125G 4x 10.3125G 4x 10GbE
• Secured fiber network infrastructure for: Gov and data center connectivity Banks, Credit card companies and other financial institutes Cloud providers and ISP backbone Utilities and essential infrastructure
• Feeder of encrypted services to existing Optical Transport Networks (OTN)
• Managed encrypted wavelength services offered by service providers
• Internal data center secured connectivity
PL-1000TE-Crypto Applications PL-1000TE-Crypto Applications
9
8 Encrypted Services Agnostic To Switch Vendor8 Encrypted Services Agnostic To Switch Vendor
Encrypted Services
PL-1000TE Crypto
Switch/Router Vendor agnostic1G/10G/40G Eth, 4G/8G/10G/16G FC
Encrypted Services
PL-1000TE Crypto
Switch/Router Vendor agnostic1G/10G/40G Eth, 4G/8G/10G/16G FC
Secured Fiber Network Infrastructure Secured Fiber Network Infrastructure
EncryptionManaged by customer
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
10/100G OTN Backbone
(OTU2/OTU4)
Encrypted Services Over OTN Backbone OTU2/OTU4Encrypted Services Over OTN Backbone OTU2/OTU4
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
3rd Party OTNInfrastructure
10G Encryption Over Standard 100G OTU4 Uplink10G Encryption Over Standard 100G OTU4 Uplink
13
Using 10G Encrypted uplinks in to 100G OTU4 uplink
FAN UNITALARM
CONTROL
PL-1000GT
MAJOR MINORCRITICAL
COM-1
DCDC
TX RX
RX TX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
2 3 4 5 7 8 9 10 MNG11 6
TX RX
TX RX
RX TX RX TX
LINK 1
RX TX RX TX
ACTLINKETH
UPLINK PSU1 PSU1
FAN UNIT
ACT
Link 1 MAJCRT
ETH
ALARM
CONTROL
TX RX
MNG2
TX RX TX RX TX RX TX RX
RX TX RX TX RX TX RX TX
4 5 6 7 9 10 11 12 MNG13 8
RX TX
2
TX RX
RX TX RX TX100G/ADM
E1 Uplink
UplinkRX TX PL-1000GT!
TX RX
MIN
PWRLINK
PWR
PL400TX RX
RX TX
TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX
MUX DEMUX 1 MUX DEMUX 2 COM1
COM2
FAN UNITALARM
CONTROL
RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16LINK MNG2MNG1
ACT
MAJOR MINORCRITICAL COM1 COM2
LINKOPR MAS
TX RX
TX RX
PROT ETH
AC PSUDC PSU
10G LAN 8G FC
Dark Fiber/OTU4
14
10G LAN 8G FC
Dark Fiber/OTU2
Using 10G Encrypted uplinks in to 10G OTU2 uplink
10G Encryption Over Standard 10G OTU2 Uplink10G Encryption Over Standard 10G OTU2 Uplink
Service Type Selection Service Type Selection
Encryption ConfigurationEncryption Configuration
16
Crypto Officer FunctionalityCrypto Officer Functionality
17
• The Crypto Officer is a single built-in user 'crypto' that is not manageable by the Admin user.
• Only the Crypto Officer is allowed to change its own password (default: 'crypto')
• Only the Crypto Officer has an access to the Encryption tab with the pre-shared-secret information, and the Key Exchange Period.
• In all other terms the behavior of the Crypto Officer user is like a Read-Only user for the GUI and CLI purposes.
• The Crypto Officer user can logged in to the device remotely via the Web-GUI over HTTP/HTTPS. The Crypto Officer user is not available via SNMPv3
• To prevent Admin changing the service type from encrypted to non-encrypted, the Crypto Officer has the option to lock the encrypted service.
• For locked encrypted service, the admin user can not change the service type. In addition, if there is at least one locked service, the admin is not allowed to: restore-to-factory-defaults, load a previously saved configuration file, switch between SW loads
• Built-in Firewall allows blocking of any selected IP address or protocol/s.
Firewall Firewall
18
PL-1000TE Management SecurityPL-1000TE Management Security
19
• HTTPS – Secured HTTP
• Support SNMPv3
• SSH - Secured Shell (telnet)
• PL-1000TE supports RADIUS for centralized user management• Up to two RADIUS servers are supported for protection
RADIUSRADIUS
20
Thank you!Thank you!Thank you!Thank you!
www.packetlight.com