Blueprint Metro Ethernet, June, 2006 by Andy Solterbeck President and General Manager, SafeNEt
The use of fiber optic cabling across WANs for the transmission of data and voice communications has become increasingly widespread. In fact, where available, it is the de-facto choice. One of the predominant reasons for the move from copper-based wires to fiber optic cables has been the belief that fiber is impervious to physical tapping, thus ensuring the security of the communications. Time, however, has proven this to be false. As Metro Ethernet, VPLS, VDSL and other next-generation Ethernet services grow in popularity worldwide, perimeter security has proven to be insufficient, and the need to secure data-in-motion has never been clearer..
Why Metro Ethernet / VPLS Network Deployments Are Increasing
Over the last quarter century, Ethernet has become the ubiquitous enterprise LAN technology. Over 95 percent of all data traffic originates and terminates on Ethernet ports. Rarely has a technology proved so simple, flexible, cost-effective, and pervasive. In the last few years, Ethernet has emerged as an alternative in metro and wide-area packet networks, thanks to the mass deployment of full-duplex, fiber optic Gigabit Ethernet technology.
According to Infonetics Research, an international market research firm specializing in data networking and telecom, worldwide sales of metro Ethernet equipment doubled from $2.6 billion in 2004 to over $4.9 billion in 2005, and are expected to triple to over $15 billion by 2009. This explosion is being driven largely by the technology’s cost-effectiveness and simplicity of implementation and maintenance.
Bringing Ethernet technology into the Metro Area Network (MAN) architecture is both smart and simple. It provides a solution to the “bandwidth bottleneck” that can be created as networks expand, real-time applications like VoIP become more prevalent, and users increase. Ethernet’s simplicity, fast provisioning, and bandwidth scalability and granularity is compelling swift adoption of Ethernet in the metro environment. An additional important benefit is the considerable reduction in overhead. The 10GbE Ethernet standard utilizes 64b/65b encoding, where one out of every 65 bits is encoded, resulting in greater efficiency and speed of transmission, allowing carriers to squeeze more bandwidth out of their existing infrastructure.
As well, latency is a key concern for large networks, particularly those providing voice, video, and other multimedia services, which are latency-sensitive. Metro Ethernet Networks offer a much higher level of support for low-latency applications and provide much lower latency than networks that require Layer 3 in their architecture. Furthermore, the cost of Ethernet equipment is significantly lower than other solutions, such as ATM or SONET. This is due to Ethernet’s technical simplicity and the high incidence of existing Ethernet installations that allow for lower Metro Ethernet implementation costs. The cost savings also extend through provisioning, operation, and maintenance. With the prevalence of existing Ethernet usage, organizations can easily leverage their current networking investments.
The Threat Model: Why Optical Networks Are Also at Risk
While WAN Ethernet provides a solution to many of the networking issues currently faced by enterprises (the “triple play” of data, voice, and video), there is still the issue of ensuring that their critical data remains secure. The truth is that anyone with malicious intentions and a modicum of expertise can gain access to data assets that are not properly protected. There have been several reported incidents of fiber optic cable tapping that illustrate the impact of these threats. For example, according to The Wolf Report, an illegally installed eavesdropping device was found in Verizon’s optical network at a mutual fund company prior to the release of their quarterly financial statements. In another incident, Deutsche Telekom experienced the breach of three main trunk lines at Frankfurt Airport.
Through the use of splitters and couplers, an intruder can access the optic signal without breaking the fiber or disrupting the flow of data. These types of devices greatly increase the difficulty of detecting an intrusion. For example, macro-bend couplers, which are inexpensive and easily obtained, involve simply placing the device on the fiber and creating a bend that allows a small amount of light to escape. The data stream can then be captured by simply placing an optical detector at the point of light leakage and using off-the-shelf “sniffer” software. Without specific equipment in place to check for signal degradation or disturbance, this type of data breech can easily go undetected.
There are also increasing regulations at the local, national, and international levels (such as California SB 1386, SOX, GLB, HIPAA, the EU Data Protection Directive) that require data to be protected. Unauthorized access to sensitive data can result in damage to both the reputation and the bottom line of organizations.
Security breaches can occur at any time through intentional and unintentional actions, and from both internal and external sources. The traditional perimeter security methods ? passwords, firewalls, biometrics, etc.? still provide important protection, but cannot combat all of the threats present in today’s enterprise network environments. Due to the high volume of data that is carried over optical networks, even a small-scale attack can result in a significant amount of data loss. It has become well known that fiber optic cables can be easily tapped into and the data stream captured or diverted. Many of the tools used to maintain a fiber optic network are unable to detect tapping devices since they use signal presence, strength, and direction to confirm proper transmission. Encrypting data ensures that it is secure even if the fiber optic lines themselves are tapped.
The Advantages of Encrypting at Layer 2
When used illicitly, optical taps can provide unfettered access to data and voice communications passing over a fiber optic line. Implementing encryption at Layer 2 ensures security of the fiber optic transmission and makes the data virtually impossible to misappropriate by those with malicious intentions. While it runs counter to the conventional wisdom, fiber can be tapped — even without breaking cable sheathing. The challenge lies in maintaining the performance and simplicity of WAN Ethernet networks while assuring the security and privacy of user data, whether it is a data, voice, or video transmission. The solution lies with high speed encryption.
In a study by the Rochester Institute of Technology (RIT), it was determined that Layer 2 encryption technologies (in this case, SONET was tested, but this holds equally true for Ethernet as well) provide superior throughput and far lower latency than IPSec VPNs, which operate at Layer 3. In part, the RIT study states: “in the case of point-to-point high speed networks, Layer 2 SONET encryption generates much better performance in comparison to Layer 3 IPSec encryption on the same link. The encryption of traffic at line speed, addition of constant minimal latency regardless of frame size, and minimal frame loss make Layer 2 encryption a highly desirable solution. Enterprises that need to secure a point-to-point link are likely to achieve better encryption performance by shifting from traditional encryption with IPSec at Layer 3 to the overhead-free encryption of frame payloads at Layer 2.”
Additional advantages of encrypting at Layer 2 include:
Support of higher throughputs, such as OC192/STM64 (10Gbps).
By implementing technology that uses the latest encryption algorithms, organizations can prevent intruders from “breaking the code.” All modern cryptographic systems will periodically change their keys. So, if a key is somehow determined, it will only be able to decrypt a certain amount of data. For example, if someone taps a line, archives all the data, determines the key, and then decrypts the archived data, they will only be able to decrypt a small portion of the data. And, according to information on the NIST Web site, it would take approximately 149 trillion years for a specially designed decryption program to decipher a 128-bit AES key, and even longer for a 256-bit key.
Each encryption key size causes the algorithm to behave slightly differently, so the increasing key sizes not only offer a larger number of bits with which you can scramble the data, but also increase the complexity of the cipher algorithm. In other words, data encrypted in this manner is secure. By implementing encryption as the foundation of their security infrastructure, companies will have one of the core elements in place to achieve compliance with all regulations. Even if, through malice or accident, sensitive data is compromised, user/customer privacy and company reputation will remain intact.
