• No results found

LAYER 1 & LAYER 2 ENCRYPTION WHY: ONE SIZE DOES NOT FIT ALL

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "LAYER 1 & LAYER 2 ENCRYPTION WHY: ONE SIZE DOES NOT FIT ALL"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

Todd Bundy

Director of Global Business Development

ADVA Optical Networking

[email protected]

203-546-8230

© 2015 Internet2

LAYER 1 & LAYER 2 ENCRYPTION

WHY:

“ONE SIZE DOES NOT FIT ALL”

(2)

[ 2 ]

© 2015 Internet2

Why Encryption at L1 and L2?

"What last year's revelations showed us was

irrefutable evidence that unencrypted

communications on the

internet

are no longer

safe. Any communications should be

encrypted by default“

Edward Snowden - Guardian Interview, Moscow

July 2014

(3)

Data Center Environment & Security

APPS

APPS

(4)

Data Center Environment & Security

Physical Access to the Data Center

APPS

APPS

(5)

Data Center Environment & Security

Hardware Security

APPS

APPS

(6)

Data Center Environment & Security

Software Security

APPS

APPS

(7)

Data Center Environment & Security

and what about the Fiber Connection?

APPS

APPS

(8)

Fiber Optic Networks

Tapping Possibilities

Y-Bridge for service activities

Fiber Coupling device

There are multiple ways to access fiber

Street cabinet

How

to get

access?

Where

to get

access?

Splice boxes / cassettes (Outdoor / Inhouse)

There are multiple ways to access fiber

FSP

(9)

The World’s 1

st

100G Encryption Demo

XG-210 Video Local “Sender” Remote “Receiver” Intermediate “Hacker” Optic Coupler 10TCE-AES100G 4CSM XG-210 10TCE-AES100G 4CSM XG210 10TCE-AES100G 4CSM & EDFA VGC Video

CLI CLI

Video ?

(10)

Comparison: Layer 1 & 2 solutions

Requirement* IPSec* MACSec*(L2)* MACSec+*(L2)* Layer*1**

Complexity+&+Cost+ high+ low+ low+ low+

Latency++ high+ low+ low+ extremely+low+

Deployment+ no+dedicated+end8to8end+ connec9vity++

hop8to8hop+only++

security+risk+ end–to–end++ end8to8end+

Data+Throughput+ low+ medium+ medium+ 100%+

Protocol+Transparency++ low+ medium+ medium+ high+

Flexible+Encrypted+Payload+

Size+ restricted++ (standard+MAC+size)+restricted++ (9600B+MTU+size)+restricted++ 1G+–+100G+ End–to–End+Compa9bility++ IP+only+ layer+2+only+ VLAN+bypass+ SONET/SDH+Fiber/OTN++

(11)

High Speed Encryption Modes

•  Hop-by-Hop only

•  Pure Ethernet based

•  Overhead increase

•  Point-to-Point,

•  Protocol/ I/F agnostic (ETH, FC/IB, Sonet/SDH)

•  Integrated Solution with lowest latency

•  Bandwidth constraints

•  IP VPN Services

•  Huge overhead

MACsec +32 Bytes

IPsec ESP-AES-256 ESP-SHHA-HMAC +73 Bytes Bulk Mode (0 Bytes)

proSEC +32 Bytes

•  End-to-End PtP or Multi-Point

•  Pure Ethernet based

•  Overhead increase

DA SA S-TAG C-TAG Etype Payload FCS

encrypted

authenticated encrypted

DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS

authenticated authenticated

DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS encrypted

authenticated encrypted

(12)

Encryption Performance

Comparison of Maximum Throughput

Framesize+/+Bytes+

Thr

oug

hput

(13)

[ 13 ]

Optical transmission security

Speed of Encryption

Sp

ee

d,

th

ro

ug

hp

ut

a

nd

si

mp

lici

ty

WAN WDM-transport Site B WDM-transport Site A xWDM based

Encryption Router

FC Switch Router FC Switch Ethernet based Encryption WAN

Router Site A Site B

FC Switch Router FC Switch WAN IPsec based Encryption FC based

Encyption WDM-transport WDM-transport

Site B Site A Router FC Switch Router FC Switch

F

le

xi

bi

lit

y

an

d

co

mp

le

xi

ty

(14)

L1 Encryption Solution

Highest level of security

Speed - Low Latency

100% Throughput

Protocol and data rate agnostic

Operational Simplicity

(15)

•  Protocol agnostic native transport of all data over single color.

•  16G Fibre Channel with future 32GFC increases real throughput.

•  Long list of certifications and partners.

•  Maximum security and lowest latency.

Data Center Connectivity - Dark Fiber

Connect Guard Optical – layer 1 encryption

Protocols

Applications

Data Mirroring

Remote

Backup

GDPS

Snapshot

Server

Clustering

Mainframe Server Storage

Site A

Site B

4/8/10/16G

Fibre Channel

1/10/40/100G

Ethernet

SDR/DDR/QDR

FDR/FDR-10

InfiniBand

FICON

(16)

10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G

Site B

LAN SAN Legacy

Site A

LAN SAN Legacy

Multi rate Multi rate

Encryption over WDM

10GbE, 16G FC, 40GbE, 100GbE Services

FSP Network & Crypto Manager

WDM

Network

(17)

Business continuity example-sync

NMS DISK (primary) Servers/mainframes Director Intermediate Site-B Sync Mirror DISK (secondary) 0-200km Fiber Tape vault Data Center Site-A Servers/mainframes

Synchronous operation

:

Local transaction will only complete when remote transaction completes

WDM WDM

FSP

F S P

FSP

F S P

(18)

Layer 1 Encryption

Large enterprises e.g. Financials upgrading

their infrastructure to

layer 1 encryption

between their DCs.

We believe that Cloud SPs will benefit from

the same methodology.

Layer 1 encryption will motivate large

enterprise to move into the Cloud.

3,830 x 10G equivalent encrypted links in operation

•  61% Finance (70 customers)

•  10% Cloud SPs (18 customers)

•  9% Government (16 customers)

•  6% Healthcare ( 8 customers) •  5% Utilities ( 9 customers)

(19)

Verticals & Cloud Service Providers

use of L1 Encryption

Government

security sensitive

HealthCare

security & cost sensitive

Utility

latency & security sensitive

Finance

latency & security sensitive

Internet Economy

scalability & cost sensitive

Public Cloud - XaaS

- Internet connect Private Cloud - BC & DR - lowest latency

- secure LAN/SAN/WAN

Dynamic Hybrid Cloud

- BC & DR (on & off premises) - lowest latency

- secure LAN/SAN/WAN

Encryption

is important

f

or all

(20)

Use Cases: Marist IBM ADVA SDN LAB

Bandwidth calendaring

Cloud bursting

Secure multi-tenancy

Workload balancing

Transactional nature of DC-to-DC traffic (bulk data transfers) offers opportunities for optical bandwidth-on-demand.

Cloud DC

Private Datacenters

Tenant 1

Tenant 2

(21)

Data center site-A Director Intermediate site-B Sync Mirror 0-1000’s km Carrier Network DISK (secondary)

CLOUD DR site-C Ohio Async Mirror DISK (third Copy) 0-200km Director Fiber

Combined sync/async scenario -

Tape vault Servers/ Mainframes Servers/Mainframes DISK (primary)

Asynchronous operation

:

No specific link between completion of a local and remote transaction

WDM WDM

Servers/ Mainframes

FSP

F S P

FSP

F S P

FC/IP Gateway FC/IP

Gateway

FSP

F S P

FSP

(22)

5TCE-PCN-AES 5TCE-PCN-AES

Site B

LAN

Site A

LAN

n*1GbE, 10GbE

OTN Network

Carrier Managed Service

Encryption over L1 Carrier Networks

1GbE & 10GbE Services

n*1GbE, 10GbE

FSP Network & Crypto Manager

(23)

[ 23 ]

(24)

ConnectGuard

secure connectivity on all layers

LAN SAN Cluster LAN SAN Cluster LAN HQ

LAN Main Office

100 Gbit/s Ba nd w id th 1 .5 Mb it/ s >+100Mbit+ >+10Gbit+ >+100Gbit+ >+100Gbit+ >+10Gbit+ >+100Mbit+ Branch B LAN Branch C

LAN Branch A LAN

up+to+1Gbit+ up+to+1Gbit+

(25)

MACsec slide with cloud

LAN

Site A

LAN

Site C

LAN

(26)

proSEC slide with cloud

LAN

Site A

LAN

Site C

LAN

(27)

proSEC capabilities

IEEE+802.1AE82006+compliant+

w/+GCM8AES8128+cipher+suite+

IEEE+802.1AEbn82011+compliant+

w/+GCM8AES8256+cipher+suite++

Packet+number+genera9on+and+

checking++

Advanced*MACsec*transforma?on*with*single/dual*VLAN*bypass*

Supports+point8to8point+secure+connec9vity++

Works+in+conjunc9on+with+ADVA+Security+Associa9on+Protocol+(SAP)+for+the+

distribu9on+of+the+cryptographic+keys+

UBS branch #1

CE Encryption Point

VID10

SecTAG VID10

UBS branch #2 UBS hub site

Carrier Network Encryption Point VID10 VID10 SecTAG VID10 SecTAG Encryption Point VID20 SecTAG VID20 VID20 NID NID NID VID20 SecTAG VID20 SecTAG Sensitive data

to/from branch 1

Sensitive data to/from branch 2

CE CE

(28)

[ 28 ]

(29)

Data Center Networks

Encryption Management for Private Networks

3rd Party

NE

3rd Party

NE

FSP NM Server FSP EM

or LCT/CLI

FSP NM Clients LAN

Scenario 1 - User of encryption is the operator of equipment

DCN

Crypto Manager running on FSP NM

(30)

Data Center Networks

Encryption Management for Private Networks

3rd Party

NE

3rd Party

NE

Scenario 2 - Encryption user does not own the network

FSP NM

Server FSP NM Clients

LAN

DCN GUI Server

running NM client apps

Customer A

WWW.

Crypto Manager running on GUI Server

(31)

Crypto Management

Management Levels Provided

Operational management

Deals with all operational aspects (FCAPS)

User access is handled on the NCU

Security management

Control of all security relevant activities

Separated from operational management

Access control handling on the AES Muxponder

not

on the NCU

Security relevant activities are performed using the security

relevant credentials

(32)

SUMMARY

!

Large Data Centers users

will migrate certain workloads

to the

Cloud to take advantage of the latest technologies at affordable

costs.

!

Security of their Data is the No.1 concern.

!

Layer 1 Encryption is their

solution of choice that

  does not impact performance or latency   supports the latest Data Center protocols   is easy to manage and operate

!

Layer 2 Encryption with MACSec+

innovation

  Enhances deployment flexibility at lower cost   Reduces complexity

This is what we offer to large enterprises

and Cloud Service Providers.

(33)
(34)

RADIUS server

RADIUS client

Management Security

Authentication - RADIUS server

•  Centralized password and user management •  User-access logging

Access to the system/NCU - Secure shell and SNMPv3

•  Full management encryption

•  Embedded Craft Terminal communication based on HTTPS or SSH or SNMPv3 •  Firmware and database updates via SCP •  User tracking

Security inside FSP Network Manager

•  Corba/TLS for Client-Server communication Northbound I/F: XML/HTTPS, SCP/SSH Filtered network views via Service Manager

•  All user information in FSP NM database is encrypted

Local administration

Operator via SSH (Secure Shell)

FSP

F S P

FSP

F S P

FSP

(35)

Crypto Officer on FSP Network Manager

(36)
(37)

Crypto Manager for Data Services

Encryption can be managed in different ways - based on the usage

scenario:

Management via LCT/CLI:

–  Encryption user has direct access (serial/Telnet/HTTPS) to the equipment

–  Encryption management as separate management area inside LCT/CLI

(separate encryption user and operational user access)

–  Every security relevant command inside LCT/CLI has to be confirmed with the crypto officer password

Management via FSP NM/SM/Crypto Manager

–  Crypto Manager allows graphical management of encryption parameters

–  Each change of parameters inside Crypto Manager must be confirmed with

Crypto Officer password

–  Combination with Service Manager enables operator to give limited network view

to encryption user so that he only sees/manages his own services

–  Service Manager/Crypto Manager can run in virtualized environment (CITRIX) to

(38)

FSP 3000 Security Suite Benefits

… for Enterprise customers

Helps to effectively protect critical information

Superior low-latency performance

Enables compliance with laws and regulations

… for Carriers and Service Providers

Attract new customers in key verticals

Differentiate service offering and increase margins

Enable new encryption service offering through separate

References

Download now ( PDF - 38 Page - 10.91 MB )

Related documents

TrustNet Group Encryption

TrustNet is the only solution that supports group encryption across multiple network layers (Layer 2 Ethernet, Layer 3 IP, or Layer 4 payload-only encryption).. It is the

Long-term Ozone Changes and Associated Climate Impacts in CMIP5 Simulations

column ozone database, (c) the multimodel mean of CMIP5 models with prescribed ozone (NOCHEM), (d) the multimodel mean of CMIP5 models with interactive or semi-of fline chemistry

Ethernet Business Services

10G ERPS Ring Wholesale Provider CPE CE Access Provider NID CE UNI 2 E-NNI Service OAM UNI 1 Fiber: GPON NID 10G ERPS Ring CPE.. Classic Test Methodology:

Point-to-Point Encryption

 In one or more HSMs in the audited decryption domain of the solution provider for that device, at the minimum number of facilities consistent with effective system operations. 

Contiki NTP Client

The compare register OCR2A is defined by macro as CLOCK COMPARE REGISTER, the counter register TCNT2 is defined as CLOCK COUNTER REGISTER, the default value of the clock

Inward FDI and firm-specific advantages of Indian manufacturing industries

The empirical part starts with the introduction of dependent variable (Foreign Share in % of equity holding by foreign promoters) and a set of independent

Innovating to Restrain the Use of the Veto in the United Nations Security Council

Transparency and Coherence (ACT) Group – a collection of 25 small and medium-sized States at the UN 10 – endorsed a concrete initiative developed by the Mission of Liechtenstein

Japanese Development Cooperation in a New Era: Recommendations for Network-Based Cooperation

Economic cooperation agencies like the Ministry of Economy, Trade and Industry (METI), the Japan External Trade Organization (JETRO) and the Overseas Human