layer 1 & layer 2 encryption why: “one size does not fit all”
TRANSCRIPT
Todd Bundy Director of Global Business Development ADVA Optical Networking [email protected] 203-546-8230
© 2015 Internet2
LAYER 1 & LAYER 2 ENCRYPTION WHY: “ONE SIZE DOES NOT FIT ALL” GIVEN ON 4/28/2015
[ 2 ] © 2015 Internet2
Why Encryption at L1 and L2?
"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default“
Edward Snowden - Guardian Interview, Moscow July 2014
Data Center Environment & Security
APPS APPS
FSP FSP
Data Center Environment & Security Physical Access to the Data Center
APPS APPS
FSP FSP
Data Center Environment & Security Hardware Security
APPS APPS
FSP FSP
Data Center Environment & Security Software Security
APPS APPS
FSP FSP
Data Center Environment & Security …and what about the Fiber Connection?
APPS APPS
FSP FSP
Fiber Optic Networks Tapping Possibilities
Y-Bridge for service activities
Fiber Coupling device
There are multiple ways to access fiber
Street cabinet
How to get access?
Where to get access?
Splice boxes / cassettes (Outdoor / Inhouse)
There are multiple ways to access fiber
FSP
FSP
The World’s 1st 100G Encryption Demo
XG-210
Video
Local “Sender”
Remote “Receiver”
Intermediate “Hacker”
Optic Coupler
10TCE-AES100G
4CSM
XG-210
10TCE-AES100G
4CSM
XG210
10TCE-AES100G
4CSM & EDFA VGC
Video
CLI CLI Video
?
CLI
Comparison: Layer 1 & 2 solutions
Requirement* IPSec* MACSec*(L2)* MACSec+*(L2)* Layer*1**
Complexity+&+Cost+ high+ low+ low+ low+
Latency++ high+ low+ low+ extremely+low+
Deployment+no+dedicated+end8to8end+connec9vity++
hop8to8hop+only++security+risk+ end–to–end++ end8to8end+
Data+Throughput+ low+ medium+ medium+ 100%+
Protocol+Transparency++ low+ medium+ medium+ high+
Flexible+Encrypted+Payload+Size+ restricted++ restricted++
(standard+MAC+size)+restricted++
(9600B+MTU+size)+ 1G+–+100G+
End–to–End+Compa9bility++ IP+only+ layer+2+only+ VLAN+bypass+ Fiber/OTN++SONET/SDH+
Flexibility+(Meshed)+ high+ low+ medium+ low+
High Speed Encryption Modes
• Hop-by-Hop only • Pure Ethernet based
• Overhead increase
• Point-to-Point, • Protocol/ I/F agnostic (ETH, FC/IB, Sonet/SDH)
• Integrated Solution with lowest latency
• Bandwidth constraints • IP VPN Services
• Huge overhead
MACsec +32 Bytes
IPsec ESP-AES-256 ESP-SHHA-HMAC +73 Bytes
Bulk Mode (0 Bytes)
proSEC +32 Bytes • End-to-End PtP or Multi-Point • Pure Ethernet based
• Overhead increase
DA SA S-TAG C-TAG Etype Payload FCS
encrypted
authenticated
encrypted
DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS
authenticated authenticated
DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS
encrypted
authenticated
encrypted
DA SA S-TAG C-TAG Etype IPsec ESP IV Payload Trailer Auth FCS
Encryption Performance Comparison of Maximum Throughput
Framesize+/+Bytes+
Throughp
ut+
(FSP3000)
[ 13 ]
Optical transmission security Speed of Encryption
S
peed
, thr
ough
put a
nd s
impl
icity
WAN
WDM-transport
Site B
WDM-transport
Site A xWDM based Encryption
Router
FC Switch
Router
FC Switch
Ethernet based Encryption
WAN
Router Site A Site B
FC Switch
Router
FC Switch
WAN
IPsec based Encryption
FC based Encyption
WDM-transport WDM-transport
Site B Site A Router
FC Switch
Router
FC Switch
F
lexi
bilit
y an
d co
mpl
exity
FC/IP FC/IP
L1 Encryption Solution
• Highest level of security • Speed - Low Latency • 100% Throughput • Protocol and data rate agnostic • Operational Simplicity
Encryption at the lowest possible layer
• Protocol agnostic native transport of all data over single color.
• 16G Fibre Channel with future 32GFC increases real throughput.
• Long list of certifications and partners.
• Maximum security and lowest latency.
Data Center Connectivity - Dark Fiber Connect Guard Optical – layer 1 encryption
Protocols Applications
Data Mirroring
Remote Backup
GDPS
Snapshot
Server Clustering
Mainframe
Server
Storage
Site A Site B 4/8/10/16G Fibre Channel
1/10/40/100G Ethernet
SDR/DDR/QDR FDR/FDR-10
InfiniBand
FICON
10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G
Site B
LAN SAN
Legacy
Site A
LAN SAN
Legacy
Multi rate Multi rate
Encryption over WDM 10GbE, 16G FC, 40GbE, 100GbE Services
FSP Network & Crypto Manager
WDM Network
Business continuity example-sync
NMS DISK (primary)
Servers/mainframes
Director
Intermediate Site-B Sync Mirror
DISK (secondary)
0-200km Fiber
Tape vault
Data Center Site-A
Servers/mainframes
Synchronous operation: Local transaction will only complete when remote transaction completes
WDM WDM
FSPF S P
FSPF S P
Director
Layer 1 Encryption
• Large enterprises e.g. Financials upgrading their infrastructure to layer 1 encryption between their DCs.
• We believe that Cloud SPs will benefit from the same methodology.
• Layer 1 encryption will motivate large enterprise to move into the Cloud.
3,830 x 10G equivalent encrypted links in operation • 61% Finance (70 customers) • 10% Cloud SPs (18 customers) • 9% Government (16 customers) • 6% Healthcare ( 8 customers) • 5% Utilities ( 9 customers)
Verticals & Cloud Service Providers use of L1 Encryption
Government security
sensitive
HealthCare security & cost
sensitive
Utility latency & security
sensitive
Finance latency & security
sensitive
Internet Economy scalability & cost
sensitive
Public Cloud - XaaS - Internet connect
Private Cloud - BC & DR - lowest latency - secure LAN/SAN/WAN
Dynamic Hybrid Cloud - BC & DR (on & off premises) - lowest latency - secure LAN/SAN/WAN
Encryption is important for all industries
Use Cases: Marist IBM ADVA SDN LAB
Bandwidth calendaring Cloud bursting
Secure multi-tenancy Workload balancing
Transactional nature of DC-to-DC traffic (bulk data transfers) offers opportunities for optical bandwidth-on-demand.
Cloud DC
Private Datacenters
Tenant 1
Tenant 2 Load Load
Data center site-A
Director
Intermediate site-B Sync Mirror
0-1000’s km Carrier Network
DISK (secondary)
CLOUD DR site-C Ohio Async Mirror
DISK (third Copy)
0-200km
Director
Fiber
Combined sync/async scenario -
Tape vault
Servers/ Mainframes
Servers/Mainframes
DISK (primary)
Asynchronous operation: No specific link between completion of a local and remote transaction
WDM WDM
Servers/ Mainframes
FSPF S P
FSPF S P
FC/IP Gateway
FC/IP Gateway
FSPF S P
FSPF S P
5TCE-PCN-AES 5TCE-PCN-AES
Site B
LAN
Site A
LAN
n*1GbE, 10GbE
OTN Network Carrier Managed Service
Encryption over L1 Carrier Networks 1GbE & 10GbE Services
n*1GbE, 10GbE
FSP Network & Crypto Manager
[ 23 ]
L2 Encryption Solution
ConnectGuard secure connectivity on all layers
LAN SAN
Cluster
LAN SAN
Cluster
LAN HQ LAN Main Office 10
0 G
bit/s
Ban
dwid
th 1
.5 M
bit/s
>+100Mbit+
>+10Gbit+
>+100Gbit+ >+100Gbit+
>+10Gbit+
>+100Mbit+
Branch B
LAN Branch C
LAN Branch A LAN
up+to+1Gbit+ up+to+1Gbit+
up+to+1Gbit+
MACsec slide with cloud
LAN
Site A LAN
Site C
LAN Site B
proSEC slide with cloud
LAN
Site A LAN
Site C
LAN Site B
proSEC capabilities
• IEEE+802.1AE82006+compliant+w/+GCM8AES8128+cipher+suite+
• IEEE+802.1AEbn82011+compliant+w/+GCM8AES8256+cipher+suite++
• Packet+number+genera9on+and+checking++
• Advanced*MACsec*transforma?on*with*single/dual*VLAN*bypass*
• Supports+point8to8point+secure+connec9vity++
• Works+in+conjunc9on+with+ADVA+Security+Associa9on+Protocol+(SAP)+for+the+distribu9on+of+the+cryptographic+keys+
UBS branch #1
CE
Encryption Point
VID10
SecTAGVID10
UBS branch #2
UBS hub site
Carrier Network
Encryption Point
VID10
VID10
SecTAG
VID10
SecTAG
Encryption Point
VID20
SecTAGVID20
VID20
NID
NID
NID
VID20
SecTAGVID20
SecTAG
Sensitive data to/from branch 1
Sensitive data to/from branch 2
CE
CE
Secure multipoint services
[ 28 ]
Encryption Management & Operations
Data Center Networks Encryption Management for Private Networks
3rd
Party NE
3rd
Party NE
FSP NM Server
FSP EM or
LCT/CLI
FSP NM Clients
LAN
Scenario 1 - User of encryption is the operator of equipment
DCN
Crypto Manager running on FSP NM
Data Center Networks Encryption Management for Private Networks
3rd
Party NE
3rd
Party NE
Scenario 2 - Encryption user does not own the network
FSP NM Server
FSP NM Clients
LAN
DCN GUI Server running NM client apps
Customer A
WWW.
Crypto Manager running on GUI Server
Crypto Management Management Levels Provided
• Operational management – Deals with all operational aspects (FCAPS) – User access is handled on the NCU
• Security management – Control of all security relevant activities – Separated from operational management – Access control handling on the AES Muxponder not on the NCU – Security relevant activities are performed using the security
relevant credentials – ROOT users have no access to security management
SUMMARY
! Large Data Centers users will migrate certain workloads to the Cloud to take advantage of the latest technologies at affordable costs.
! Security of their Data is the No.1 concern. ! Layer 1 Encryption is their solution of choice that � does not impact performance or latency
� supports the latest Data Center protocols
� is easy to manage and operate ! Layer 2 Encryption with MACSec+ innovation � Enhances deployment flexibility at lower cost
� Reduces complexity
This is what we offer to large enterprises and Cloud Service Providers.
legacy plus Cloud
Backup slides
RADIUS server
RADIUS client
Management Security Authentication - RADIUS server • Centralized password and user management • User-access logging
Access to the system/NCU - Secure shell and SNMPv3 • Full management encryption • Embedded Craft Terminal communication
based on HTTPS or SSH or SNMPv3 • Firmware and database updates via SCP • User tracking
Security inside FSP Network Manager • Corba/TLS for Client-Server communication
Northbound I/F: XML/HTTPS, SCP/SSH
Filtered network views via Service Manager • All user information in FSP NM database is encrypted
Local administration
Operator via SSH (Secure Shell)
FSPF S P
FSPF S P
FSPF S P
Crypto Officer on FSP Network Manager
Crypto Manager launched for dedicated service
Crypto Manager
Crypto Manager for Data Services Encryption can be managed in different ways - based on the usage
scenario: Management via LCT/CLI: – Encryption user has direct access (serial/Telnet/HTTPS) to the equipment – Encryption management as separate management area inside LCT/CLI
(separate encryption user and operational user access) – Every security relevant command inside LCT/CLI has to be confirmed with the
crypto officer password Management via FSP NM/SM/Crypto Manager
– Crypto Manager allows graphical management of encryption parameters – Each change of parameters inside Crypto Manager must be confirmed with
Crypto Officer password – Combination with Service Manager enables operator to give limited network view
to encryption user so that he only sees/manages his own services – Service Manager/Crypto Manager can run in virtualized environment (CITRIX) to
keep customer behind firewall
FSP 3000 Security Suite Benefits
… for Enterprise customers • Helps to effectively protect critical information • Superior low-latency performance • Enables compliance with laws and regulations
… for Carriers and Service Providers • Attract new customers in key verticals • Differentiate service offering and increase margins • Enable new encryption service offering through separate
transmission and encryption management