May / Jun 2009

Home  |  Digital City Expo  |  Advertise  |  BMI

Forward to a friend | Bookmark this site

Mile Posts Blog  |  Featured Articles  |  News  |  Forums  |  Product Showcase  |  LMU  |  Ask the Experts  |  Webinars  |  Calendar  |  Archives

Securing Data in the Next-Generation

Broadband Cable Telecommunications Network
Michael Schneider — Feb 28, 2008

Multiple systems operators (MSOs) and cable telecom service providers generally consider their sites as “secured facilities.” The information traveling inside the buildings is also considered relatively secure. However, the optical fibers connecting one site to another, sometimes over hundreds and thousands of kilometers, are some of the most vulnerable points in these networks.

The use of fiber-optic cabling for the transmission of data and voice communications has become increasingly widespread among both public networks and private local area networks (LANs). Proliferation of multi-degree reconfigurable optical add-drop multiplexers (ROADM) as well as hybrid fiber/coax (HFC) and FTTx technologies are extending fiber throughout the entire transport network. Due to the high volume of data carried over optical networks, even an attack from a single point can result in a significant amount of data loss through either theft or corruption. It has become well known that fiber-optic cables can easily be tapped into and the data stream captured or diverted.

Fiber vulnerability allows hostile intruders to intercept information passively or actively alter data by sending deceitful or bogus information, and even to cause real harm to the network. In order to intercept IP/Ethernet information from an optical network, off-the-shelf wave-division multiplexing (WDM) components can be used to extract a specific wavelength channel, and then — using multi-service provisioning platform (MSPP) or data equipment easily obtained from aftermarket sources — direct it to routers or to deep packet inspection (DPI) devices.

Many of the tools used to maintain a fiber-optic network are unable to detect tapping devices since they only use signal presence, strength and direction to confirm proper transmission. When used illegally, optical taps can provide unfettered access to data and voice communications passing over a fiber-optic line.

To overcome hostile interception of data and information military bodies, governments, network operators, as well as businesses, devote major efforts to increase their network security.

Encrypting the information running over the fibers is considered the highest level of security a network operator can achieve for protecting against external threats.
 

Protection Strategy

 
The security market is evolving, driven by changes in how people use the network. When companies first started to connect their networks to the Internet, it was to access the large amount of data that was on the Web. Network separation of the outside network from the inside network was the top priority, and many different products emerged to accomplish that separation. Firewall, intrusion detection (IDS) and prevention software (IPS), anti-virus and other tools prevent many threats from entering the network.

Then the Internet was leveraged for remote employee access, business-to-business applications, e-commerce and remote access from anywhere in the world for different applications. A need arose to declare tools for defining who is allowed access to the network servers and which services they are allowed to use once they have access.

But this is not enough when data travels from one site to another over a shared infrastructure. Organizations must adopt multilayer security solutions to optimally defend against the threats and vulnerabilities that exist today. The best practice threat-focused security approach deploys a several layered defense solution that splits into two main categories:

1. Protection of the inside organization network:
   • Controls access (use mechanisms like AAA, LDAP, SSO, NAC).
   • Defends the infrastructure (for example, firewall, anti-virus, content filtering, IDS/IPS).
2. Protection of the data “in motion” outside the organization from external threats as it travels the network through use policies and encryption.

Transport Encryption

The most powerful and widespread approach to countering the network security threats for data in motion is encryption. Advanced Encryption Standard (AES) was announced in 2001 by the National Institute of Standards and Technology (NIST) as U.S. Federal Information Processing Standard (FIPS) 197. AES is one of the most popular and powerful algorithms used in symmetric key cryptography. It is fast, relatively easy to implement and requires little memory. AES has a fixed block size of 128 bits and uses a key size of 128, 192 or 256 bits.

AES encryption and SHA-1 authentication are the accepted standards for protecting data in transit over non-trustworthy networks. They provide three levels of security as follows:

• Confidentiality: Keep the Data Secret – using AES/3DES industry standard encryption algorithm.
• Authentication: Trust your Sources – industry standard hashing algorithms (SHA-1 and MD-5) verifying the identity of the peer device.
• Integrity: Trust your Data – industry standard hashing algorithms SHA-1 and MD-5 ensuring that data has not been altered in transit.

Layer 2 Transport Encryption Solution

 

Layer 2 encryption solutions encrypt the entire Ethernet payload, keeping the Ethernet header untouched (MAC/VLAN and other L2 characteristics).

Protecting data at Layer 2:

• Allows any data payload to be secured across metro Ethernet networks
• Prevents the occurrence of any Layer 2 attack like ARP spoofing by authenticating the entire Ethernet frame, MAC address, headers, and the encrypted payload
• Reduces latency and complexity associated with higher-layer processing
  

Network Applications

Secured Ethernet Private Lines (EPL)
 
One of the most common transport services for government/military and large enterprises today is Ethernet Private Lines (EPL). The organization leases a point-to-point Ethernet connection–typically 10 Mbps to 1,000 Mbps–from the service provider for privacy, security, diversity and dedicated bandwidth.

Large number of service providers already provide combined security services to their customers in an efficient and cost effective manner, generally referred to as MSSP (Managed Security Service Providers) or clean pipes.

These managed network security services include IPSec and SSL VPNs, firewall, IDS.

IPS, virus scanning, authentication and PKI, vulnerability assessment, content security and other services. Using EPL, MSPPs can provide clean pipes, or Layer 2 end-to-end secured connection, between customer sites.

Typical use of the EPL application is for point-to-point LAN expansion and storage area networking (SAN), that is, storage over distance for disaster recovery and business continuity. However, to provide true security for the data in motion, service providers must offer encryption because, increasingly, customers want to ensure that no one can tap into or alter information while it travels the outside network infrastructure.

Using Ethernet encryption, service providers can offer a secure point-to-point connection.  Other benefits include:

• Ethernet private line application using Ethernet over SONET or DWDM
• Layer 1 capabilities are kept – auto negotiation, pause/flow control etc.
• End-to-end link encryption based on the physical Ethernet interface
• Encryption device on both ends communicate with the other peer device to exchange keys while being centrally managed by the operator

Secure Layer 2 VPN Services - Point to Multipoint and Multipoint to Multipoint VLANs

 

Business and government organizations are increasingly demanding virtual private networks (VPNs) instead of traditional and costly leased lines, and Ethernet and IP interfaces instead of DS1 and DS3.

However, VPNs are not accommodating the growing security needs of enterprise networks. VPNs enable a separation of customer traffic over the same service provider network, but do not enable secure communication between the remote VPN sites. In order to avoid any risk of losing or having data compromised, either the service provider or customers themselves need to protect their data over the shared network.

Using VLAN encryption, multi-point connections can be secured by using different encryption keys per VLAN. This also avoids having a security gateway in nodes that do not require encrypted traffic from the shared path. The encryption process is carried out only at the two end systems.

Using Ethernet VLAN encryption, service providers can offer secure shared connections with the following benefits.

• Encrypted Ethernet over L2 provider bridge network.
• Layer 1 capabilities are kept – auto negotiation, pause control, etc.
• Layer 2 information is preserved – VLAN, CoS, etc.
• Support end to end encryption over E-line (EPL, EVPL) and E-LAN (EPLAN, EVPL).

Summary – Optimal Data Transmission Security Solution

The characteristics of an optimal transport security solution for data protection include the following:

• Strong Encryption Method: By using a strong encryption algorithm like AES-256 that uses a long key size, brute force cryptanalysis becomes impossible.
• Transparency: A transport security solution should be easy to deploy and not add complexity to the network. The installed device should have no impact on network design or operation. Security must be transparent by supporting jumbo frames and multiple VLAN tags and MPLS labels used by existing network elements.
• Performance – Low Latency: With so many applications existing today being latency-intolerant (for example, streaming video, voice over IP, storage replication, disk mirroring), a security solution must not affect network performance. It must introduce virtually no latency and have maximum throughput.
• Easy and Secure Management: An optimal transport security solution is easily managed from a central remote location, and provides access to security policies and controlled key management functionalities. Administrators should receive alerts for faults or potential security breaches, such as unsuccessful logins or logouts, or any disabling of the security functions.
• Cost Effectiveness: Transport security will reduce OPEX for the customer by outsourcing data encryption to the service provider. Centralized security management integrated with existing transport element management systems will lower OPEX for the operator as well. At the same time, CAPEX would be reduced for the customer by leasing the security gateway equipment from the service provider.
• Industry Standard Compliance: FIPS 140-2 Level 2 certification is awarded to products after thorough testing by an accredited independent laboratory. It is a benchmark used by government agencies as well as corporations implementing secure applications to determine which products offer robust standardized data protection.

As these points indicate, Ethernet transport encryption is an end-to-end solution with very little impact on existing operations that cable operators can confidently offer to their business and government subscribers.

Michael Schneider is Product Manager-Network Solutions at ECI Telecom

< Back to archives

RSS Feed . Advertising . About BMI . Contact BMI