Layer-1 Encryption

Layer-1 Encryption over DWDM

PacketLight’s Layer-1 encryption is transparent to the traffic without any degradation to the DWDM link performance or to the QoS of transferred data, providing full end-to-end transparency of service data (unlike MacSec Layer-2 or IPsec Layer-3 encryption), and low latency of less than 12 usec for 10Gb Ethernet.

Layer-1 encryption solution for high level of security. FIPS 140-2 certified and Common Criteria EAL2 certified.

Please contact us for a quote or further assistance.

The Need for DWDM Network Encryption

Fiber optic communication infrastructure was always considered more secure than copper infrastructure, since it does not radiate and is more resilient to tapping.

Recent years have shown that it is possible to tap the fiber optic cable and extract the data transmitting over it. As a result, data security over DWDM links has increased, especially in financial and government institutions, critical infrastructure, data centers and service providers. Moreover, adhering to security requirements such as confidentiality, integrity and authentication have become mandatory in some industries.

PacketLight's Layer-1 Optical Encryption Solution 

PacketLight’s encryption solution performs GCM-AES-256 encryption on Layer-1 of the client signal, supporting full bandwidth of GbE/10/40/100/400Gb Ethernet services. The solution is NIST FIPS 140-2 and Common Criteria EAL2 certified, and complies with Commercial National Security Algorithm (CNSA) Top Secret Suite B 2015 requirements for GbE/10/40/100/400Gb Ethernet, 4/8/10/16/32G FC, STM64/OC-192 SONET/SDH, and OTU2/3/4. 

PacketLight encryption devices also support ECC CDH Diffie-Hellman key exchange and integrate quantum key distribution (QKD) for enhaced key exchange capabilities.

The solution resolves three major concerns in optical link security:

  • Confidentiality - preventing disclosure of information to unauthorized parties
  • Data integrity - ensuring that the message has not been altered
  • Authentication – validating that both parties involved are indeed who they claim to be

The solution enables users to flexibly activate the encryption/decryption functionality for specific transponders and selected wavelengths.

Diagram of PacketLight Layer-1 optical encryption with tapping alarm

Figure 1: Diagram of Encryption over Dark Fiber with Transponder

Up to 20 encrypted signals can be multiplexed into a single 100G or 200G OTN uplink using PacketLight’s muxponder devices. The encryption can be done per client interface (service) or for the entire uplink (line side).

Diagram of Layer 1 optical Encryption for High Capacity Rates and Protocols

Figure 2: Diagram of Encryption of Multiple High Capacity Rates and Protocols

Total Network Protection - Additional Security Solutions

In addition to the data encryption, PacketLight DWDM devices support the following security capabilities:

  • Fiber attenuation monitoring - monitors the attenuation levels between two sites in real-time and provides system alerts in case of any degradation in fiber attenuation.
  • Firewall - malicious fiber tapping attempts is one of the reasons for degradation in fiber attenuation. PacketLight units comprise alerts, so tapping attempts are identified quickly and remedied.
  • Secured access to management console - firewall functionality protects PacketLight’s device against attacks targeted at the management port by enabling the user to maintain a whitelist of managers that can access the device.

Please contact us for a quote or further assistance.

FIPS 140-2 Level 2 CertifiedCommon Criteria EAL2 Certified       Common Criteria EAL2 Certified



Related products

How can we help you?

Required field
Required field
Invalid Input
Required field
Please let us know your message.