Solution Overview

© 2015 PacketLight Networks, All rights reserved. This document is PacketLight Public Information.

ww

w.p

ac

ke

tlig

ht.

co

m

Secured Encrypted 1G to 40G DWDM Transport Solutions

oday’s trend of increased use of virtual and cloud networks has proven to offer new cost effective opportunities for organization and data centers, but on the other hand, has opened organizations to vulnerability from sophisticated outside attackers.

The need for backup, business continuity and data transport between multiple data center sites has grown. In addition, today’s enterprise networks have extended from on-premise to remote cloud virtual networks, thus forming high bandwidth optical transport network to connect between the remote sites over increasing distances . Therefore the data transport networks today are exposed to security holes previously not encountered. This situation has made traditional premise security devices insufficient for today’s needs. In today’s world, data encryption methods previously used only by military and intelligence services, are now the relevant viable data protection solution, not only to banks and financial institutions, but to all forms of data transfer across platforms. Using encryption methods for data transfer is not enough. Data transfer encryption does not provide protection against attacks on the management traffic. Such attacks can cause damage and outage of the entire infrastructure. Thus the use of secured management protocols such as SNMPv3, SSH (Secured Shell), HTTPS (Secured HTTP) and firewalls has also become mandatory. Another essential protection aspect is the security of the optical link. The purpose of the optical link security is providing the IT administrators tools to identify tapping of the optical fiber by detection of unexplained link power degradation. Transport Protection Options For remote data centers and disaster recovery connectivity as well as for cloud and virtual networks, fiber optic infrastructure has been widely used. With WDM solutions, multiple data rates can be multiplexed together and be transported across the network with ultra low latency. The fiber infrastructure also offers huge capacity, with up to 96 wavelengths of 100G transported over a single fiber. Until recently, fiber optic cable was considered more secure than other transport mediums, and virtually immune to data hacking. However, recent studies proved that even fiber can be hacked by using different methods and relatively simple tools. This raised a need for transport security measures over fiber networks as well. Just owning your own dark fiber infrastructure is no longer guarantee for data security. In order to provide secured fiber optic link, a combination of physical premise protection, secured management protocols, with encryption method and with optical power level monitoring should be used. The combined method provides the network administrator the set of tools that help to prevent, detect, isolate and counter any potential or occurring data hacking attempt.

T

Solution Overview

© 2015 PacketLight Networks, All rights reserved. This document is PacketLight Public Information.

ww

w.p

ac

ke

tlig

ht.

co

m

PacketLight’s Solution PacketLight’s innovative cryptography solution, PL-1000TE Crypto, offers high security level for the fiber infrastructure by combining cryptographic protection at the layer-1 of the service data flow, firewall, secured management protocols, password protected role based user authentication, and optical link power level monitoring. PL-1000TE Crypto ensures three major concerns of optical link security:

Confidentiality - preventing disclosure of information to unauthorized parties Data integrity - ensuring that the data has not been altered Authentication – validating that both parties involved are indeed who they claim to be

PacketLight’s encryption is transparent to the traffic without any degradation to the DWDM link performance or to the QoS of transferred data providing full end-to-end transparency of service data and clock with a low latency of less than 20usec for 10GbE. With PacketLight’s layer -1 encryption solution, there is no need for any changes to existing layer-2 and layer-3 switches and routers in the network. The solution is agnostic to the Layer-2/3 equipment vendor and type. Thus, it is easy to deploy in any environment with minimal cost and time.

Encription Mechanism PL-1000TE Crypto

The PL-1000TE Crypto has 8 independent encryption machines and key exchange so each service is isolated and encrypted independently of the others. Each transponder can perform GCM-AES-256 Encryption to the client signal, supporting full bandwidth of 1GbE, 10GbE, 4G FC, 8G FC, 10G FC, 16G FC services. In addition, the user can configure four 10GbE transponders as a single 40GbE service. The user can flexibly activate the encryption/decryption functionality for specific transponders and selected wavelengths.

Solution Overview

© 2015 PacketLight Networks, All rights reserved. This document is PacketLight Public Information.

ww

w.p

ac

ke

tlig

ht.

co

m

The bit rate of the encrypted services is compatible with the bit rate of standard signals. For example, the bit rate of encrypted 10GbE, 8G FC and 4G FC is the same as 10GbE bit rate. Thus, these encrypted services can be mapped over OTN (Optical Transport Network) networks with standard OTU2e (10G). For example, each 10G encrypted signal can be transported over 10G OTU2e wavelength using the PL-1000TN, or up to 10 encrypted signals can be multiplexed into a single 100G OTN uplink by PacketLight’s muxponder devices PL-1000GM or PL-1000GT. The cryptographic module of the PL-1000TE Crypto is compliant with NIST FIPS 140-2 standards and NSA Suite B requirements.

For protection of the management traffic, PacketLight’s DWDM equipment supports a built-in firewall with every unit. The firewall provides protection for PacketLight’s device from attacks targeted against the management port by letting the user to maintain a white list of managers that can access the device and to specify the list of blocked/allowed management protocols. In addition, PacketLight’s device supports SNMPv3, SSH and HTTPS protocols for secured management traffic.

For protection of the optical fiber, PacketLight’s DWDM equipment provides advanced fiber monitoring capabilities that allow monitoring of the attenuation levels between two sites in real time and provide system alerts in case of significant optical power degradation. Malicious fiber tapping attempts are one of the reasons that cause degradation in the fiber attenuation. With these alerts, such tapping can be quickly identified and remedied.

Solution Overview

© 2015 PacketLight Networks, All rights reserved. This document is PacketLight Public Information.

ww

w.p

ac

ke

tlig

ht.

co

m

Applications and Usability

Below are a few examples in which PacketLight’s Encryption technology can be utilized and provide value added solution and services for different segments:

Building private secured optical network for regulation compliance by financial institutes and utility companies

The awareness of the need for data security is growing among all the financial institutes due to the high sensitivity of financial data and transactional flow between data centers. In several countries, such as Germany, there are legislations which require the data over the fiber between data centers to be encrypted. The typical encrypted interfaces are the 1G/10G/40G Ethernet and 4/8/10/16G Fibre Channel protocols used for data and storage transport. The security awareness has particularly increased for the utility companies where data security compromise can have a wide spread effect that can hurt country wide infrastructure and may have huge ramifications. Malicious hacking attack on utility company’s data can shut down essential services such as electricity, water, and transportation. Thus, the utility company network must be encrypted keeping it inaccessible for tapping or modification.

PacketLight’s Layer-1 encryption solution is agnostic to the application layer and the SAN and LAN equipment used, which makes the solution externally cost effective and simple to deploy. PacketLight’s solution can even be integrated with existing WDM infrastructure and encrypted wavelengths can be added at any time with no impact on the existing applications.

Solution Overview

© 2015 PacketLight Networks, All rights reserved. This document is PacketLight Public Information.

ww

w.p

ac

ke

tlig

ht.

co

m

Offering of Encrypted Wavelength service by service providers over OTN networks

Service providers are operating in an extremely competitive market. Offering value added services to distinguish themselves among the other service providers is one of the essential challenges for their business. Encrypted wavelength is one of the value added services that can be offered in a cost effective way with PacketLight’s most compact high bandwidth DWDM CPE solutions with guaranteed short term ROI for the equipment. The encryption is enabled or disabled per each interface independently and is applied transparently to the client as a part of the DWDM service. The encryption supports the most common FC and Ethernet signals and is configured flexibly by the user to the type and service rate.

The same box is used for transparent DWDM managed service and encrypted solution, so the encrypted WL service is a “no brainer” addition to the service provider’s offerings. The encryption can be either configured by the cryptographic officer of the end enterprise or by the service provider as different level of permissions are supported for the encryption functionality. PacketLight encryption solutions can connect with OTU2 and OTU4 to the carrier backbone infrastructure without any need to change or upgrade it. Using the PL-1000TE Crypto as the encryption device feeding the PL-1000TN for 10G OTU2 or the PL-1000GM/GT as the Muxponder solution to 100G OTU4 enables provision of encryption over any existing OTN network infrastructure.

Cloud and data center affordable Encryption solution

Solution Overview

© 2015 PacketLight Networks, All rights reserved. This document is PacketLight Public Information.

ww

w.p

ac

ke

tlig

ht.

co

m

One of the major challenges for cloud and data center service providers is the link security, since the enterprise’s most vital information is sent between locations typically over fiber. In most cases, there is a core router located at the main data center site and through it different streams of services and end users are carried. The need for full throughput encryption of the connections between the core routers of the data centers is obvious. PacketLight’s product offers cost effective, transparent, high security solution for such service providers.

For more information visit our website at www.packetlight.com Or contact us via e-mail: info@packetlight.com

About PacketLight Networks, Ltd. PacketLight Networks offers a suite of Leading 1U CWDM/DWDM and OTN based solutions, for transport of data, storage, voice and video applications, over dark fiber and WDM networks, featuring high quality, reliability and performance at affordable prices. Our products are distinguished with low power consumption ideal for CLE (Customer Located Equipment) allowing maximum flexibility as well as ease of maintenance and operation and providing real Pay-as-you-grow architecture. PacketLight customers are carriers, service providers, data centers, IT integrators and enterprises who are active in meeting the demands for metro Ethernet, business continuity, Triple Play solutions and enterprise data sharing applications. For product and reseller information, Please contact info@packetlight.com