Securing optical networks: the role of encryption. By Duncan Ellis, systems engineering director EMEA channels and enterprise, at Ciena.
There is a widespread belief that fibre optic networks are inherently secure due to the fact they use light rather than electrical current when transmitting data. This is not the case. The technology needed to hack into an optical network is, in fact, relatively inexpensive and with the right tools and knowledge it is not much more difficult to compromise than a copper wire. Securing the network is only possible, however, if IT mangers and CIOs look beyond servers, databases, routers, and switches to the fibre network beyond the walls of the data centre.
Hackers, upon accessing the fibre cables, can extract light through two main methods: bending (using a clip-on coupler to make some light radiate through the fibreโs cladding) and splicing (creating a splice in the fibre to tap into the transmitted signal). Contactless methods to hack into a cable have also been developed. Once the fibre is compromised, hackers have access to the whole signal that travels through the network core and at this stage the only viable means of protection is encryption.
The majority of applications in the enterprise network use IP (layer 3) for data transfer and communication. As such, application-level encryption appears to be the logical choice for IT managers. With application-level encryption, data is already encrypted when it reaches optical network elements to be transmitted to another location in the enterprise network. In some applications, however, Layer 3 encryption can negatively impact the efficiency of operations. A sizeable overhead is often added to the payload data packets, effectively reducing the operational data throughput while the encryption process itself contributes considerable latency to the data transfer. This can adversely impact higher level applications, creating network oscillation and severe performance degradation.
The traditional operational model for deploying encryption solutions can also be cumbersome and costly. As individual traffic streams require individual encryption devices often specific to the protocol involved, multiple ports on each MAN/WAN network element are consumed, adding to the cost and complexity.
That is where the benefits of a lower layer encryption solution kick in. While it certainly is not necessary for all enterprise IT applications, with those more bandwidth intensive or time sensitive it certainly hits the right note. A well devised and properly implemented encryption solution integrated to the transport layer allows deployments that minimise the number of network elements while still adhering to the highest security standards. Available network bandwidth can be fully utilised and the ultra-low latency of encryption process eliminates application delays.
Choosing an optical encryption solution can at times be a daunting task. Key points to take into consideration in the process should include:
a)Regulations compliance
The globalised nature of todayโs business means that companies need to adhere to a multitude of information security related regulations and constantly monitor their level of compliance. Therefore, it is essential that the solution chosen ensures compliance with these crucial laws.
b)Security level and security standards compliance
Thorough evaluation of the technical quality of the encryption solution goes without saying. 256-bit encryption algorithms are recommended, as well as the ability to frequently refresh encryption keys.
c)Latency
As discussed, for some of the more latency sensitive network protocols and IT applications the delay parameters offered by the encryption solution can be relatively impactful. State-of-the-art optical encryption solutions should be able to keep latency under control, offering hardware-related latency parameters in the region of several microseconds.
d)Protocol transparency and scalability
Any dynamic enterpriseโs network is typically a constantly evolving, โliving and breathingโ organism. This means that services that run over it today will probably also be different from those that will fill up the network bandwidth in the future. It is therefore important that the chosen solution supports protocol-agnostic encryption which offers the flexibility to support a variety of transport types.
e)Manageability
Whether the encrypted Wide Area Network link is managed and maintained by an enterprise itself or through a managed service delivered by a communications services provider, it is worth verifying if the โownerโ of the data โ the end-user โ is actually the one maintaining close control of the encryption keys, issuing new keys as needed while remaining aware of any security alarms and logs on an end-to-end basis. This can typically be delivered through separating the optical transport management from the encryption key management.
The amount of business-critical data being distributed over the Wide Area Network is continuing to increase, making it increasingly important for IT managers to look beyond simply securing the data centre and towards protecting data on the go. For a completely secure approach, the three key areas of server security, at rest encryption and in-flight encryption must be addressed in equal measure and optical layer encrypted networking solutions will have a vital role to play. The fact of the matter is that only securing information in the virtualised environment while running an unsecured network is a bit like closing all the windows in your car but failing to lock the doors โ it makes it all too easy to have your car stolen.
