Fiber optic communication has been considered for a long time to provide a much more secure infrastructure than copper infrastracture since it does not radiate and is easy to tap. However, in recent years, it has been proven that it is not so hard to tap the fiber optic cable and extract all the data transaction passing over it. As a result, awareness of data security over DWDM links has increased in many organizations, especially in banks, government entities, data centers and service providers. Also, such security requirements as confidentiality, integrity and authentication have become mandatory.
The Cryptography Solution
PacketLight’s innovative cryptography solution offers high security level for the fiber infrastructure by encrypting and protecting the service level data flow. PacketLight’s encryption is transparent to the traffic without any degradation to the DWDM link performance or to the QoS of transferred data providing full end-to-end transparency of service data and clock with a low latency of less than 12 usec for 10GbE.
PacketLight’s cryptography solution (PL-1000TE Crypto) performs GCM-AES-256 Encryption on layer-1 of the client signal, thus supporting full bandwidth of the 1/10/40G services. PacketLight’s cryptography solution is compliant with NIST FIPS 140-2 standards and NSA Suite B requirements for 40G Eth, 10G Eth and GbE services as well as 4/8/10/16Gb FC.
PacketLight’s comprehensive encryption solution ensures three major concerns of optical link security:
Confidentiality - preventing disclosure of information to unauthorized parties
Data integrity - ensuring that the message has not been altered
Authentication – validating that both parties involved are indeed who they claim to be
The PL-1000TE Crypto solution is applicable for services of GbE, 10GbE and 40GbE as well as 4/8/10Gb FC. The user can flexibly activate the encryption/decryption functionality for specific transponders and selected wavelengths.
Additionally, up to 10 encrypted signals can be multiplexed into a single 100G OTN uplink by PacketLight’s muxponder devices - PL-1000GM or PL-1000GT.
Other Security Methods
In addition to the data encryption, there are two additional security capabilities supported by all PacketLight DWDM devices:
Fiber attenuation monitoring
Secured access to management console
The Fiber Attenuation Monitoring method monitors the attenuation levels between two sites in real time and provides system alerts in case of any degradation in the fiber attenuation. Malicious fiber tapping attempts are one of the reasons that causes degradation in the fiber attenuation. With alerts provided by PacketLight’s units, such tapping attempts can be quickly identified and remedied.
The firewall functionality provides protection for PacketLight’s device against attacks targeted against the management port by enabling the user to maintain a white list of managers that can access the device and specify the list of blocked/allowed management protocols.