One of the major priorities for network administrators is building reliable networks that are safe and secure. Thus, they use wavelength multiplexing technology, build independent optical paths and implement automatic switching methods to move traffic to alternative (backup) paths in order to provide continuous transmission in the event of a single device or fibre failure.
However, there is a question as to whether, in our rush to larger capacities, shorter switching times and better availability, we have not forgotten about data security in the sense of its confidentiality and integrity.
Nowadays, cyberattacks are a threat to all enterprises. Optical fibres can be tapped, and confidential information revealed with tools that are relatively easy to use. This means that using optical fibres does not guarantee data security. However, with the help of encryption methods that have previously been used by military and intelligence agencies, it is possible to secure sensitive data.
When we look into this subject we face a number of significant challenges. Firstly, data encryption must be done without information loss, it must be transparent and enable full capacity. And we cannot forget about maintaining low latency, which is of primary importance to the financial sector. Secondly, we have to comply with laws that regulate aspects of sensitive data security. Finally, how do we integrate all this into our existing infrastructure without replacing links or devices that are already operational?
If a given solution is to provide a high level of security in a fibre optic infrastructure, it must include cryptographic security of data transmission, a firewall, secure network management protocols and monitoring of optical fibre parameters.
Only a joined up combination of these elements will allow us to provide three critical security functions:
It is also necessary to provide network administrators with both regular and ad-hoc information on optical fibre parameters, as their rapid degradation may indicate that a fibre is being tapped. Thus, the security of the first layer is a key part of the total cyber security solution.
By taking the above requirements and complementing them with specific policies and standards, we receive a set of recommendations for an encryption platform. Among these are: the layer-1 encryption using at least a 256 bit key (GCM-AES-256), compliance with NIST FIPS 140-2 and NSA Suite B standards and the support of the 1/10/40/100Gb Ethernet, 4/8/16/32G Fibre Channel and OTU2/3/4 protocols.
So, what kind of solution do you need to secure your data?
To sum up, the layer-1 encryption solution is independent of the application and the SAN/LAN devices you use, which makes it cost effective and easy to deploy. It enables integration into the existing WDM infrastructure and can be flexibly added without interference to existing services. A reliable network is a safe and secure network.
