evolving optical transport network security
TRANSCRIPT
1
Copyright © 2012 All Rights Reserved.
Copyright © 2012 All Rights reserved
Evolving Optical Transport Network Security
May 15, 2012
Prepared by: John Kimmins Executive Director 732-699-6188 [email protected]
2
Copyright © 2012 All Rights Reserved.
• Overview of Optical Communications and Transport Networks
• Evolving Transport Network Technology • Potential Security Issues • Security Risk Management
Outline
3
Copyright © 2012 All Rights Reserved.
• Exploding bandwidth demands − Annual growth of 50% or more to support services such as
− 3G and 4G wireless (backhaul) − Streaming video − Cloud services − On-line gaming
− Capacity of optical systems is hundreds of times greater than that of electrical or radio-wave systems
• Need for agility, scalability and sustainability to meet rising customer expectations − Shift from relatively static TDM-based services to rapidly changing
IP/Ethernet-based services
Drivers for Optical Communications
4
Copyright © 2012 All Rights Reserved.
Optical Communications Stack Options
Transported Traffic (voice, video, data)
Optical Fiber
Optical Fiber Cable
Ethernet SONET Fibre Channel
Ethernet SONET Fibre Channel
OTN
WDM (typically DWDM)
Ethernet SONET Fibre Channel
FDDI
Inside Plant Outside Plant
5
Copyright © 2012 All Rights Reserved.
Illustrative Physical Network View
Core/Long-Haul (undersea and terrestrial)
Distribution/Metro
Access/ Last mile
6
Copyright © 2012 All Rights Reserved.
• Automatically Switched Optical Network (ASON) is an emerging control plane technology that − Automates discovery and provisioning of network resources and
connections − Allows for customer control over optical network connections − Permits dynamic policy-driven network control
• Transport network changes are initiated by a customer or management system
• Signaling controls the creation and removal of connections • Customer connects to the transport plane through a physical
interface and communicates with the control plane via a User Network Interface (UNI)
Evolving Transport Network Technology - 1
7
Copyright © 2012 All Rights Reserved.
• Automated provisioning allows for − Dynamic bandwidth allocation based on demand − Quick end-to-end connection setup and teardown − Efficient rerouting and resource usage − Reduced labor costs associated with manual tasks and
customer/service provider interactions − Time-efficient response to changing customer needs
• ASON also supports − Connection protection and restoration − Address and wavelength assignment − Traffic engineering − Many Quality of Service (QoS) levels − Multiple types of traffic (though it may be optimized for IP)
Evolving Transport Network Technology - 2
8
Copyright © 2012 All Rights Reserved.
• Service demarcation points are where call control is provided • Inter-domain interfaces are service demarcation points
ASON Architecture Interfaces
9
Copyright © 2012 All Rights Reserved.
• User-Network Interface (UNI) − Separates the concerns of the user and
provider
− Enables client-driven end-to-end service activation
• External Network-Network Interface (E-NNI) enables − End-to-end service activation
− Multi-carrier and vendor inter-working
− Independence of survivability schemes for each domain
• Internal Network-Network Interface (I-NNI) supports − Intra-domain connection establishment
− Explicit connection operations on individual switches
• UNI and E-NNI are supported by a family of ITU-T and OIF signaling protocols
• I-NNI is considered proprietary
ASON Network Interfaces
NE Provider A Provider B E-NNI
NE NE NE
Domain 1
Domain 2E-NNI
I-NNIE-NNIDomain 1
Domain 2E-NNI
I-NNIE-NNI
UNI UNI-C UNI-N
UNI UNI-N UNI-C
10
Copyright © 2012 All Rights Reserved.
Growth of the Security Threats
1
High
Low
1980 1985 1990 1995 2000
Soph
istic
atio
n
cross site scripting
password guessing self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits back doors
hijacking sessions
sweepers
sniffers
packet spoofing
graphic user interface
automated probes/scans
denial of service
www attacks
“stealth” / advanced scanning
techniques
burglaries
network mgmt. diagnostics
distributed attack tools
Advanced Persistent Threat
Supply Chain Counterfeits
2012+
RSA Compromise
Sophistication Of Available Tools/Attacks
Growing Botnets Mobile Malware
? Stuxnet
11
Copyright © 2012 All Rights Reserved.
• Increases the exposure of the core optical transport network − With new user interface, unauthorized bandwidth requests may
enable denial-of-service attacks − New routing protocols may not be sufficiently protected and create
network instability − Network forensics may be more difficult in a dynamic environment − Connections may be temporarily set up to support potential attacks
and then disappear
• Gateway products will be emerging to mediate network access − Testing of security features will be required to determine protection
level
Emerging Risks & Impacts
12
Copyright © 2012 All Rights Reserved.
Security Risk Management Roadmap
Current Network Infrastructure
New Customer Services
Assess Security • Address risk • Platforms,
applications, NEs & interfaces
• Process flows • Security architecture • Security management
New Network Technology
Insertion
Evolving Network
Infrastructure
Procurement Process Controls
• Vulnerability Mitigation
• Processes • Security design • Operations testing &
turn-up
New Services Rollout • Controls process • Vulnerability
assessment • Procedures • Training • Service testing &
turn-up
Threat & Vulnerability • Monitoring • Patch management • Periodic
Vulnerability assessments
• Training
13
Copyright © 2012 All Rights Reserved.
Powerhouse Research. Practical Solutions.