Interceptor Optical Network Security System. Design Guide. Chapter 4: INTERCEPTOR Optical Network Security System Alarmed Carrier PDS

(1)

Interceptor

™

Optical Network

Security System

Design Guide

Chapter 4:

INTERCEPTOR

™

Optical Network

Security System

Alarmed Carrier

PDS

}

(2)

implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Network Integrity Systems, Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.

Trademarks

Network Integrity Systems, Inc., the Network Integrity Systems, Inc. logo, and Interceptor are trademarks of Network Integrity Systems, Inc. Other brands and product names are trademarks or registered trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, Network Integrity Systems, Inc. reserves the right to make changes to the products described in this document without notice. Network Integrity Systems, Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

(3)

INTERCEPTOR

™

Design Guide

22

The INTERCEPTOR™ Optical Network Security System is a combination of components which together make-up an alarmed carrier hardened protective distribution system fully compliant with NSTISSI 7003 and the corresponding guidelines of the various agencies and services. At the foundation of the system is the INTERCEPTOR™ device itself.

INTERCEPTOR launches a monitoring signal into a pair of fibers of the optical cable being protected, which turns the entire cable (up to 144 fibers) into a sensor. Specifically, when any component of the cable is abnormally handled, such as would occur during an intrusion attempt, the monitored fibers sense the disturbance and INTERCEPTOR reports the event.

INTERCEPTOR uses the standard communications fibers inside the cable to perform the monitoring, no matter whether they are dark (unused) or active (transmitting data); therefore no special sensing fibers are required. The INTERCEPTOR model is used to monitor dark fibers. The INTERCEPTOR Plus™ model is used to monitor active fibers.

INTERCEPTOR incorporates a feature, which is referred to as Smart Filtering™ technology. This technology is used to enable INTERCEPTOR to “autoconfigure” itself, meaning that it learns the normal ambient state of the network to create a baseline of normal, routine, benign, non-threatening events such as the vibration caused by a nearby air conditioning unit, vehicle traffic, etc. While monitoring, these normal events are ignored.

For most cable designs, monitoring as few as 2 fibers within the cable can protect an entire 144-fiber cable. If ingress into the cable is attempted, the protected fibers will sense the disturbance and issue an alarm. The effectiveness of this is dependent upon the design of the optical cable itself. Some cable designs require monitoring on more fibers than oth-ers (for instance an 864-fiber cable).

Only a single INTERCEPTOR is needed at one end of the cable being protected. If dark fibers are being monitored, at the far end a simple, off-the-shelf optical loop back device is used in a patch panel to send the monitoring signal back to the INTERCEPTOR. When monitoring active fibers, a single INTERCEPTOR Plus™ is needed at one end of the cable, however at the far end, a Remote Termination Unit (RTU) is required to separate the monitoring signal from the data signal.

At a minimum, a single INTERCEPTOR can provide a secure connection to four separate locations. However, through some simple fiber concatenation methods (i.e. daisy chaining), a single INTERCEPTOR can provide secure connections to many separate locations. The exact numbers of locations a single INTERCEPTOR can connect vary as it is based on the specific network architecture of the deployment.

INTERCEPTOR is a physical layer device, and does not touch, process or verify the network data (IP or cell headers) or the National Security Information, therefore no bandwidth bottlenecks are created allowing full utilization of the network – up to 10Gbps and beyond.

The INTERCEPTOR can be locally managed by serial console, and remotely managed by Telnet or Secure Shell (SSH). The INTERCEPTOR can be accessed via terminal programs such as HyperTerminal or TeraTerm.

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

(4)

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

Figure 1: Typical INTERCEPTOR configuration when dark fibers are used for monitoring

(5)

INTERCEPTOR

™

Design Guide

24 Alarmed Carrier Components

In order to fully understand the various design methodologies and network architectures currently in existence, it is im-portant as a preliminary matter to understand the basic INTERCEPTOR system components and ancillary infrastructure products that would be required to deploy a hardened PDS system in support of a SIPRNet or JWICS network.

The INTERCEPTOR comes in two different versions: INTERCEPTOR and INTERCEPTOR+Plus.

INTERCEPTOR

An optical network security system that can be installed on any fiber optic network–either singlemode or multimode–that turns fibers inside of the cables into “sensors” that monitor the physi-cal security of the cable or cables. Thus, once employed, the INTERCEPTOR is constantly looking for any potential tampering or attempts to access the fibers inside of the cable or cables. The basic INTERCEPTOR model only works on dark fibers; the INTERCEPTOR injects the monitoring signal on the dedicated dark strands inside of the cable. Finally, the INTERCEPTOR can be easily installed on either new or existing fiber optic cables.

INTERCEPTOR units are available in one, two, or four-port con-figurations, which are all only one rack unit (RU) in height. Each port can protect up to a 144-fiber cable by monitoring as few as two strands of fiber inside of the cable. For a more in-depth discussion, see the network architecture material in Chapter 5 of this Guide.

The basic INTERCEPTOR model is ideal for projects where new cable infrastructure will be installed be-cause extra dark fibers can be planned for and included in those fiber optic cables.

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

(6)

Figure 3: Graphic of Optical Fiber with two different Signals at 850nm and 1300nm

When monitoring active fibers, INTERCEPTOR+Plus units can be configured to disrupt the optical signal upon alarm, thus providing users with an additional level of assurance and protection.

For any application where spare fibers may eventually be placed into service, the INTERCEPTOR+Plus provides a very scalable and easy-to-migrate solution.

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

Data

Monitor

Data

Monitor

WDM

Both Single Fiber

INTERCEPTOR+Plus

This model operates in an identical manner as the basic INTERCEPTOR unit, but it is capable of monitoring both active (or “lit”) fibers as well as dark fibers. The INTERCEPTOR+Plus uses an out-of-band wavelength to inject the alarm monitor-ing signal onto the same fibers that are carrymonitor-ing the classified network traffic. The alarm monitoring signal and the classified data remain completely separate optical signals.

(7)

INTERCEPTOR

™

Design Guide

26

Network Integrity Systems

Fiber Loop Point

Figure 2: Interceptor™ on Dark Fiber Network

INTERCEPTOR

1 2 3 4

Patch Bay

Fiber Optic Intrusion Detection System Reset Local 1 Remote Rx Tx Rx Tx Status 1 100BASE-T 8000-1-U-M6-3S Console Patch Bay Patch Panel Fiber Optic Loopback Cable

(Patchcord) Optical _Loopback

Connector

Optical Loopback

When using an INTERCEPTOR with dark fibers, there is no data being carried on the monitored fibers, therefore they do not need to be connected to a switch or terminated in a bulkhead or faceplate. As such, it is possible to consolidate all INTERCEPTOR equipment on one end of the network and ”loop” the monitored fibers at the far end to create a constant optical circuit that originates at the INTERCEPTOR equipment, travels the length of the cable to the loopback point, travels back the length of the cable, and terminates back at the INTERCEPTOR.

Figure 4: INTERCEPTOR Dark Fiber Installation

Options for Creating a Fiber Loopback

Several options exist for creating a fiber loopback. Typically the protected cables are terminated at a patch panel, usually in an equipment rack, or a zone box. At that patch panel one of two methods is used to loop back the signal to the INTERCEPTOR:

1. Fiber optic loopback cable (patchcord) 2. Optical loopback connector

Figure 5: Fiber Loopback

The cable slack of the patch cord must be secured in the patch panel as it is sensitive and could trigger an alarm if disturbed. While it is a slightly more expensive solution, we recommend the use of the optical loopback connector for it’s mechanical stability and the avoidance of cable slack management.

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

(8)

When terminating the cables at the workstation, for instance in a secure lockbox, the loopback is achieved by one of two methods: thru the use of a splice, either fusion or mechanical. Optionally, if the fibers are connectorized, they can be looped by connecting in a barrel sleeve.

1. Optical splice, either fusion or mechanical

Photo 3: An elastomeric splice

Photo 4: A fusion splice

2. If the fibers are connectorized, connection to a barrel sleeve

Photo 5: Connectorization with a barrel sleeve

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

(9)

INTERCEPTOR

™

Design Guide

28

Figure 6: INTERCEPTOR PLUS+ RTU Circuit

RTUs are available in both rack-mount and micro configurations. A rack-mount RTU is a one-rack-unit sized passive device that provides RTU functionality for one,two, or four INTERCEPTOR+Plus circuits. Rack-mount RTUs are commonly used in high density deployments such as storage area networks (SANs) or datacenters. A micro-RTU is a compact RTU that provides RTU functionality for a single INTERCEPTOR+Plus circuit. The small size of the micro-RTU enables conve-nient mounting in a variety of applications, such as the inside of a zone box, patch panel, connector module housing, or the faceplate of most secure workstation enclosures.

Monitored Pair - Active (Intrusion Detection)

Data Wavelength shown in BLUE

Monitor Wavelength shown in RED Local Tx Rx Remote Tx Rx Local Tx Rx 1 1 Optical Device I O INTERCEPTOR

CLASS 1 LASER PRODUCT

Optical Network Security System Status Reset 1 2 3 4 Optical Device Local Tx Rx

NIS Micro RTU Remote Local

Chapter 4 | The INTERCEPTOR Optical Network Security System:

An Alarmed Carrier PDS

Remote Termination Unit

When using an INTERCEPTOR+Plus™ on active fibers, an optical loopback cannot be used because there will also be data trav-eling on those fibers that needs to be optically connected to a switch, patch panel, or faceplate in order for the network to send and receive information. Thus, active fiber monitor-ing requires an INTERCEPTOR+Plus to be installed on one end of the network, and a remote termination unit, or RTU, to be in-stalled on the other. An RTU is a completely passive device that uses wavelength division multiplexing technology to optically separate the alarm-monitoring wavelength and the wavelength carrying the classified information. The RTU allows the optical wavelength carrying the data to pass through it untouched, while the alarm-monitoring wavelength is separated and then reinserted onto the returning fiber which terminates back at the INTERCEPTOR+Plus unit.

Photo 6: Rack Mounted RTU

(10)

Interlocking Armored Cable

Several years ago, a majority of the fiber optic cable manufacturers in the United States began to offer an interlocking armor for their cables that would eliminate the need for first installing innerduct in commercial buildings. The interlock-ing armor was spirally wound around the entire length of the fiber optic cable, and then a PE or PVC outer jacket would surround the armoring, thus allowing ease of handling, as well as printing cable configuration, footage marks, and date of manufacturing on the outside of the cable per BICSI standards. Essentially, the interlocking armor provides a single piece of aluminum or steel armoring that is wound around the entire length of the cable, which provides end-to-end protection.

Since older alarmed carrier technology required an external “sensing” fiber to be installed adjacent to the cable or cables to be protected, commercial off-the-shelf interlocking armored cables offered little value or added protection, since they would still need to be installed inside of a rigid metallic conduit of engineered raceway. However, since INTERCEPTOR and INTERCEPTOR+Plus units monitor fibers within the cable, interlocking armored cables can be used in CONUS and many OCONUS locations to eliminate completely the need for rigid metallic conduit or engineered raceway systems to be installed for point-to-point, alarmed carrier PDS installations (IAW CTTA guidance). The interlocking armored cable can simply be installed using j-hooks or cable D-rings attached directly to the structure or suspended using all-thread. The only fiber optic cables approved by the CTTAs to be used with INTERCEPTOR or INTERCEPTOR+Plus units are cables that have interlocking armor wound around their entire length. The older BX style of armoring provides insufficient pro-tection and is not approved. A detailed list of the interlocking armor cables that have been tested and approved for use with the INTERCEPTOR can be found at http://www.networkintegritysystems.com.

Figure 7: Interlocking Armored Cable

Interlocking Armored Cable

INTERCEPTOR™

INTERCEPTOR Alarmed Carrier PDS Equipment

To LAN Closet, IPS, Zone Box, or Workstation, etc.

Fiber Optic Patch Panel