Todd Bundy Director of Global Business Development ADVA Optical Networking tbundy@advaoptical.com 203-546-8230

© 2015 Internet2

LAYER 1 & LAYER 2 ENCRYPTION WHY: “ONE SIZE DOES NOT FIT ALL” GIVEN ON 4/28/2015

[ 2 ] © 2015 Internet2

Why Encryption at L1 and L2?

"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default“

Edward Snowden - Guardian Interview, Moscow July 2014

Data Center Environment & Security

APPS APPS

FSP FSP

Data Center Environment & Security Physical Access to the Data Center

APPS APPS

FSP FSP

Data Center Environment & Security Hardware Security

APPS APPS

FSP FSP

Data Center Environment & Security Software Security

APPS APPS

FSP FSP

Data Center Environment & Security …and what about the Fiber Connection?

APPS APPS

FSP FSP

Fiber Optic Networks Tapping Possibilities

Y-Bridge for service activities

Fiber Coupling device

There are multiple ways to access fiber

Street cabinet

How to get access?

Where to get access?

Splice boxes / cassettes (Outdoor / Inhouse)

There are multiple ways to access fiber

FSP

FSP

The World’s 1st 100G Encryption Demo

XG-210

Video

Local “Sender”

Remote “Receiver”

Intermediate “Hacker”

Optic Coupler

10TCE-AES100G

4CSM

XG-210

10TCE-AES100G

4CSM

XG210

10TCE-AES100G

4CSM & EDFA VGC

Video

CLI CLI Video

?

CLI

Comparison: Layer 1 & 2 solutions

Requirement* IPSec* MACSec*(L2)* MACSec+*(L2)* Layer*1**

Complexity+&+Cost+ high+ low+ low+ low+

Latency++ high+ low+ low+ extremely+low+

Deployment+no+dedicated+end8to8end+connec9vity++

hop8to8hop+only++security+risk+ end–to–end++ end8to8end+

Data+Throughput+ low+ medium+ medium+ 100%+

Protocol+Transparency++ low+ medium+ medium+ high+

Flexible+Encrypted+Payload+Size+ restricted++ restricted++

(standard+MAC+size)+restricted++

(9600B+MTU+size)+ 1G+–+100G+

End–to–End+Compa9bility++ IP+only+ layer+2+only+ VLAN+bypass+ Fiber/OTN++SONET/SDH+

Flexibility+(Meshed)+ high+ low+ medium+ low+

High Speed Encryption Modes

•  Hop-by-Hop only •  Pure Ethernet based

•  Overhead increase

•  Point-to-Point, •  Protocol/ I/F agnostic (ETH, FC/IB, Sonet/SDH)

•  Integrated Solution with lowest latency

•  Bandwidth constraints •  IP VPN Services

•  Huge overhead

MACsec +32 Bytes

IPsec ESP-AES-256 ESP-SHHA-HMAC +73 Bytes

Bulk Mode (0 Bytes)

proSEC +32 Bytes •  End-to-End PtP or Multi-Point •  Pure Ethernet based

•  Overhead increase

DA SA S-TAG C-TAG Etype Payload FCS

encrypted

authenticated

encrypted

DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS

authenticated authenticated

DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS

encrypted

authenticated

encrypted

DA SA S-TAG C-TAG Etype IPsec ESP IV Payload Trailer Auth FCS

Encryption Performance Comparison of Maximum Throughput

Framesize+/+Bytes+

Throughp

ut+

(FSP3000)

[ 13 ]

Optical transmission security Speed of Encryption

S

peed

, thr

ough

put a

nd s

impl

icity

WAN

WDM-transport

Site B

WDM-transport

Site A xWDM based Encryption

Router

FC Switch

Router

FC Switch

Ethernet based Encryption

WAN

Router Site A Site B

FC Switch

Router

FC Switch

WAN

IPsec based Encryption

FC based Encyption

WDM-transport WDM-transport

Site B Site A Router

FC Switch

Router

FC Switch

F

lexi

bilit

y an

d co

mpl

exity

FC/IP FC/IP

L1 Encryption Solution

•  Highest level of security •  Speed - Low Latency •  100% Throughput •  Protocol and data rate agnostic •  Operational Simplicity

Encryption at the lowest possible layer

•  Protocol agnostic native transport of all data over single color.

•  16G Fibre Channel with future 32GFC increases real throughput.

•  Long list of certifications and partners.

•  Maximum security and lowest latency.

Data Center Connectivity - Dark Fiber Connect Guard Optical – layer 1 encryption

Protocols Applications

Data Mirroring

Remote Backup

GDPS

Snapshot

Server Clustering

Mainframe

Server

Storage

Site A Site B 4/8/10/16G Fibre Channel

1/10/40/100G Ethernet

SDR/DDR/QDR FDR/FDR-10

InfiniBand

FICON

10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G

Site B

LAN SAN

Legacy

Site A

LAN SAN

Legacy

Multi rate Multi rate

Encryption over WDM 10GbE, 16G FC, 40GbE, 100GbE Services

FSP Network & Crypto Manager

WDM Network

Business continuity example-sync

NMS DISK (primary)

Servers/mainframes

Director

Intermediate Site-B Sync Mirror

DISK (secondary)

0-200km Fiber

Tape vault

Data Center Site-A

Servers/mainframes

Synchronous operation: Local transaction will only complete when remote transaction completes

WDM WDM

FSPF S P

FSPF S P

Director

Layer 1 Encryption

•  Large enterprises e.g. Financials upgrading their infrastructure to layer 1 encryption between their DCs.

•  We believe that Cloud SPs will benefit from the same methodology.

•  Layer 1 encryption will motivate large enterprise to move into the Cloud.

3,830 x 10G equivalent encrypted links in operation •  61% Finance (70 customers) •  10% Cloud SPs (18 customers) •  9% Government (16 customers) •  6% Healthcare ( 8 customers) •  5% Utilities ( 9 customers)

Verticals & Cloud Service Providers use of L1 Encryption

Government security

sensitive

HealthCare security & cost

sensitive

Utility latency & security

sensitive

Finance latency & security

sensitive

Internet Economy scalability & cost

sensitive

Public Cloud - XaaS - Internet connect

Private Cloud - BC & DR - lowest latency - secure LAN/SAN/WAN

Dynamic Hybrid Cloud - BC & DR (on & off premises) - lowest latency - secure LAN/SAN/WAN

Encryption is important for all industries

Use Cases: Marist IBM ADVA SDN LAB

Bandwidth calendaring Cloud bursting

Secure multi-tenancy Workload balancing

Transactional nature of DC-to-DC traffic (bulk data transfers) offers opportunities for optical bandwidth-on-demand.

Cloud DC

Private Datacenters

Tenant 1

Tenant 2 Load Load

Data center site-A

Director

Intermediate site-B Sync Mirror

0-1000’s km Carrier Network

DISK (secondary)

CLOUD DR site-C Ohio Async Mirror

DISK (third Copy)

0-200km

Director

Fiber

Combined sync/async scenario -

Tape vault

Servers/ Mainframes

Servers/Mainframes

DISK (primary)

Asynchronous operation: No specific link between completion of a local and remote transaction

WDM WDM

Servers/ Mainframes

FSPF S P

FSPF S P

FC/IP Gateway

FC/IP Gateway

FSPF S P

FSPF S P

5TCE-PCN-AES 5TCE-PCN-AES

Site B

LAN

Site A

LAN

n*1GbE, 10GbE

OTN Network Carrier Managed Service

Encryption over L1 Carrier Networks 1GbE & 10GbE Services

n*1GbE, 10GbE

FSP Network & Crypto Manager

[ 23 ]

L2 Encryption Solution

ConnectGuard secure connectivity on all layers

LAN SAN

Cluster

LAN SAN

Cluster

LAN HQ LAN Main Office 10

0 G

bit/s

Ban

dwid

th 1

.5 M

bit/s

>+100Mbit+

>+10Gbit+

>+100Gbit+ >+100Gbit+

>+10Gbit+

>+100Mbit+

Branch B

LAN Branch C

LAN Branch A LAN

up+to+1Gbit+ up+to+1Gbit+

up+to+1Gbit+

MACsec slide with cloud

LAN

Site A LAN

Site C

LAN Site B

proSEC slide with cloud

LAN

Site A LAN

Site C

LAN Site B

proSEC capabilities

•  IEEE+802.1AE82006+compliant+w/+GCM8AES8128+cipher+suite+

•  IEEE+802.1AEbn82011+compliant+w/+GCM8AES8256+cipher+suite++

•  Packet+number+genera9on+and+checking++

•  Advanced*MACsec*transforma?on*with*single/dual*VLAN*bypass*

•  Supports+point8to8point+secure+connec9vity++

•  Works+in+conjunc9on+with+ADVA+Security+Associa9on+Protocol+(SAP)+for+the+distribu9on+of+the+cryptographic+keys+

UBS branch #1

CE

Encryption Point

VID10

SecTAGVID10

UBS branch #2

UBS hub site

Carrier Network

Encryption Point

VID10

VID10

SecTAG

VID10

SecTAG

Encryption Point

VID20

SecTAGVID20

VID20

NID

NID

NID

VID20

SecTAGVID20

SecTAG

Sensitive data to/from branch 1

Sensitive data to/from branch 2

CE

CE

Secure multipoint services

[ 28 ]

Encryption Management & Operations

Data Center Networks Encryption Management for Private Networks

3rd

Party NE

3rd

Party NE

FSP NM Server

FSP EM or

LCT/CLI

FSP NM Clients

LAN

Scenario 1 - User of encryption is the operator of equipment

DCN

Crypto Manager running on FSP NM

Data Center Networks Encryption Management for Private Networks

3rd

Party NE

3rd

Party NE

Scenario 2 - Encryption user does not own the network

FSP NM Server

FSP NM Clients

LAN

DCN GUI Server running NM client apps

Customer A

WWW.

Crypto Manager running on GUI Server

Crypto Management Management Levels Provided

•  Operational management –  Deals with all operational aspects (FCAPS) –  User access is handled on the NCU

•  Security management –  Control of all security relevant activities –  Separated from operational management –  Access control handling on the AES Muxponder not on the NCU –  Security relevant activities are performed using the security

relevant credentials –  ROOT users have no access to security management

SUMMARY

!  Large Data Centers users will migrate certain workloads to the Cloud to take advantage of the latest technologies at affordable costs.

!  Security of their Data is the No.1 concern. !  Layer 1 Encryption is their solution of choice that �  does not impact performance or latency

�  supports the latest Data Center protocols

�  is easy to manage and operate !  Layer 2 Encryption with MACSec+ innovation �  Enhances deployment flexibility at lower cost

�  Reduces complexity

This is what we offer to large enterprises and Cloud Service Providers.

legacy plus Cloud

Backup slides

RADIUS server

RADIUS client

Management Security Authentication - RADIUS server •  Centralized password and user management •  User-access logging

Access to the system/NCU - Secure shell and SNMPv3 •  Full management encryption •  Embedded Craft Terminal communication

based on HTTPS or SSH or SNMPv3 •  Firmware and database updates via SCP •  User tracking

Security inside FSP Network Manager •  Corba/TLS for Client-Server communication

Northbound I/F: XML/HTTPS, SCP/SSH

Filtered network views via Service Manager •  All user information in FSP NM database is encrypted

Local administration

Operator via SSH (Secure Shell)

FSPF S P

FSPF S P

FSPF S P

Crypto Officer on FSP Network Manager

Crypto Manager launched for dedicated service

Crypto Manager

Crypto Manager for Data Services Encryption can be managed in different ways - based on the usage

scenario: Management via LCT/CLI: –  Encryption user has direct access (serial/Telnet/HTTPS) to the equipment –  Encryption management as separate management area inside LCT/CLI

(separate encryption user and operational user access) –  Every security relevant command inside LCT/CLI has to be confirmed with the

crypto officer password Management via FSP NM/SM/Crypto Manager

–  Crypto Manager allows graphical management of encryption parameters –  Each change of parameters inside Crypto Manager must be confirmed with

Crypto Officer password –  Combination with Service Manager enables operator to give limited network view

to encryption user so that he only sees/manages his own services –  Service Manager/Crypto Manager can run in virtualized environment (CITRIX) to

keep customer behind firewall

FSP 3000 Security Suite Benefits

… for Enterprise customers •  Helps to effectively protect critical information •  Superior low-latency performance •  Enables compliance with laws and regulations

… for Carriers and Service Providers •  Attract new customers in key verticals •  Differentiate service offering and increase margins •  Enable new encryption service offering through separate

transmission and encryption management