Locking up the Light: Cyber-Security at OFC
By Casimer DeCusatis, Ph.D. | Posted: 26 February 2015 12:00:00 AM
Twitter | LinkedIn | Facebook | Reddit
Although we seldom think about it, optical networks are a vital part of the economic infrastructure in many parts of the world. Emerging global economies are increasingly reliant on the Internet to promote economic development and address social issues. More established nations are increasingly leveraging cloud computing and the Internet for critical missions involving national security, public health and safety, and financial risk. The United States Central Intelligence Agency, for example, was recognized recently for their efforts in moving critical workloads into the cloud, and in 2013 the President issued executive order 13636, “Improving Critical Infrastructure Cybersecurity”. For more information, you can consult the Department of Homeland Security’s Critical Infrastructure Program.
With this level of attention, it’s not surprising that OFC will be hosting a growing number of workshops, presentations, and product showcases related to optical network security.
While network security is only part of a broader cybersecurity landscape, there’s a great deal that networking professionals can do to improve security. As a starting point, consider how the networking technologies being discussed at OFC address these three major concerns with optical link security:
Optical networks can encrypt data to improve confidentiality and integrity once the communication channel has been authenticated. This should comply with relevant standards; in North America cryptographic capabilities are defined by NIST FIPS 140-2 and NSA Suite B requirements for one and ten gigabit/second data rates. At these speeds, it should be possible to implement AES encryption at the physical layer without significant bandwidth degradation. It’s possible to encrypt user data while retaining full end-to-end transparency of management data, and without adding more than perhaps tens of microseconds to overall link latency. There’s a greater security risk for extended distance links which leave the confines of a single data center, which is one reason why line rate encryption for wavelength division multiplexing (WDM) devices is of particular interest.
Confidentiality – this involves preventing the disclosure of information to unauthorized parties.
Data Integrity – ensuring that messages on the network have not been altered
Authentication – validating the identity of all parties involved in a communication transaction
There are many possible frameworks for data center security.
In response to the executive order noted previously, NIST has created a framework (published in February 2014) for cyber-security based on the five key principles “Identify, Protect, Detect, Respond, Recover”.
All of these areas are potentially impacted by the emerging trends in software-defined networking (SDN), overlay networks, and network function virtualization (NFV). For example, identifying a potential threat includes activities such as asset management, governance, risk assessment, and security strategy. An SDN network offers new options in this space, such as developing a network application profile which includes pre-programmed incident response and built-in compliance testing of security policies. The ability to directly link network security policies to SDN code should greatly simplify audits while providing a more direct translation between security policy intent and implementation.
Overlay networks which virtualize and abstract the underlying physical infrastructure can also be used to deploy so-called “zero trust” or micro-segmentation architectures. Using virtual firewalls and intrusion detection, instantiated as waypoints on an overlay network, it becomes possible to monitor all network traffic, including so-called “east-west” traffic between virtual servers (in modern data centers, such traffic accounts for the vast majority of packets on the network). Since virtual networks can be dynamically re-configured in software, new approaches such as dynamic honeypots can be deployed to divert a hacker’s attention while automated security protocols are being implemented. While honeypots and micro-segmentation don’t strictly require SDN or NFV, they become much more cost effective to implement and easier to manage using these tools, which will be among the key topics of interest during the technical sessions at OFC.
It’s hard to find a bigger gathering of optical networking professionals than OFC, so pick up your badge early for access to an insider’s view of the latest security developments from around the globe.
Is your OFC registration password longer than 6 characters and include at least one number and one letter? Or did you just use your dog’s name like you always do? Drop me a line with your most inventive approach to password creation (@Dr_Casimer) and I’ll use the best ideas (anonymously, or course) in a future blog.
Posted: 26 February 2015 by
Casimer DeCusatis, Ph.D.
| with 0 comments