Optical Encryption: First Line of Defense for Network ServicesAn IHS Markit Technology Webinar
#NetworkSecurity
Today’s Speakers Optical Encryption: First Line of Defense for Network Services
Allen TataraManager
Webinar Events (Moderator)
IHS Markit
#NetworkSecurity
2
Sylvain ChenardProduct Line Manager
IP/Optical Networks
Nokia
Hector MenendezProduct Marketing Manager
IP/Optical Networks
Nokia
Heidi AdamsSenior Research Director
Transport Networks
IHS Markit
1 The Need for Secure Transport
5
4
2
3 Illusion of Security & Key Management
Case Studies
Audience Q&A
Nokia Approach
Conclusions6
7
Securing Data at the Optical Transport Layer
#NetworkSecurity
3
The Threat Is Real - And the Stakes Are High
Source: Breach Level Index
4
Cyber Crime
80.3%
Hacktivism
11.3%
Cyber
Espionage4.2%
Cyber Warfare
4.2%
Source: hackmageddon.com
Motivations Behind AttacksSeptember 2016
Notable Recent Breaches (Impacting Millions of Records)
Source: InformationisBeautiful.net
70m
145m
80m
76m
56m
77m
55m
30+ substations
5
Breaches Pose Substantial Financial Risk and More…
$252m
$39m
$100+m
$161m
$100m
Dir
ect
cost
($M
)
Records lost or stolen (m)
0 100
Direct cost of breaches (so far)
$250Enterprise: Lost revenue, credibility, critical IP assets
Government: Interruption of vital services
Finance: Loss of customer assets
Healthcare: Delivery of patient care, loss of confidence
FINANCIAL CREDIBILITY
6
Source: InformationisBeautiful.net
Transformations Driving Cybersecurity Tech
7
Rationalizing defense
New architectures
Evolving threats
Device proliferation
How to Deliver Network Security in a Multi-petabit World?
The Rise of 100G and Beyond
8Source: IHS Markit Telecom Optics & Components Market Tracker – November 2016
0%
25%
50%
75%
100%
0
25
50
75
100
125
CY14 CY15 CY16 CY17 CY18 CY19 CY20
Tran
sm
issio
n C
ap
acit
y
(P
eta
bit
s/
sec)
10G 40G 100G 200G+ Growth rate (%)
Annual Deployed Telecom Bandwidth and YoY Change
2
The Need for Secure Transport
Securing Data at the Optical Transport Layer
Illusion of Security & Key Management
Case Studies
Audience Q&A
5
4
6
1
3
79
Nokia Approach
Conclusions
#NetworkSecurity
Implementing a ‘Defense-in-depth’ Strategy
• Need to strengthen security beyond perimeter (e.g., firewalls)
• Must protect data integrity and confidentiality, including when data is in-flight
• Layer 1 security is an integral part of a multi-layered defense strategy
From Application to Layer 1 Security
Security Threats
SSL/TLS encryption
MacSec encryption
IPSec encryption
TCP, UDP privacy and data integrity protocols
L1 encryption, monitoring, intrusion detection, optical span protection
Physical
Data link
Network
Transport
Application
10
Why Secure at Layer 1?
Reduced cost
Ultra low latency and bandwidth efficiency
Lowest cost / encrypted bit
Low latency
Better scale and support for any traffic typeTransparency
High bandwidth wire speed encryptionBetter performance
Robust network protection with high availabilityHigh availability
Simpler security and network managementManagement
11
Moving Towards a 100G Connected World
Optical networks are rapidly approaching an inflection point
100G
10G
Better wavelengths
Efficient wavelengths
More wavelengths
Secure wavelengths
Large enterprises
Content providers
Comms providers
Strategic industries
Fixed/mobile
IP video
Cloud/IT
IoT
New level of scale required
100G
10G
12
Easily Adding Layer 1 Encryption to Existing Networks
DWDM METRO
AND LONG HAUL
@ 100G
InfiniBand
FC
Ethernet
InfiniBand
FC
Ethernet
Data Center XData Center A
IT operations
Enterprise ITNetwork
Management
KeyManagement
Security operations
Cyber security administration
LAN
SAN
HPC
LAN
SAN
HPC
13
Optical Transport Security Mechanisms
Wavelength monitoring OTDR – the fingerprint
Day 1
Day 3: New fiber route?
Protect your data and investment with a strong quality key
Key strength & management
CiphertextPlaintext Plaintext
Key authority
Detect and localize precisely any anomalies on fiber network
Allows power and fiber monitoring and reporting for each wavelength
14
3
The Need for Secure Transport
Illusion of Security & Key Management
5
4
6
1
2
715
Case Studies
Audience Q&A
Nokia Approach
Conclusions
Securing Data at the Optical Transport Layer
#NetworkSecurity
Illusion of Security
Security and Encryption – The Typical House Lock Analogy
House Security
We need well-balanced cryptographic solutions with a tamper-resistant lock and quality key
Almost every home has locks on doors.
90+% house locks can be forced in less than 15 secondswithout any evidence of unauthorized entry.
Transport Encryption
Almost all optical transport solutions claim they are secure.
Many solutions do not meet current recommendations on minimum key strength.
16
It’s All about Key Strength
17
Comparative Key Strength
Symmetric key size (bits)
Asymmetric key size (bits)
80 1,024
112 2,048
128 3,072
192 7,680
256 15,360
Symmetric encryption Asymmetric encryptionComparative key strength
Sender
Same private key forencryption/decryption
CiphertextPlaintext Plaintext
256 bitsReceiver Sender
Receiver’spublic key
CiphertextPlaintext Plaintext
RSA 2048Receiver112 bits
Receiver’sprivate key
Symmetric vs. Asymmetric Algorithms
SYMMETRIC CRITERIA ASYMMETRIC
Secure private Key type Public and private
Low CPU power needed High
True random key Entropy Integer factorization
18
Cryptographically Sound Solutions Ensure Key Quality for the Future
Algorithm Key length
Effective key strength/security level
Conventional computing
Quantum computing
RSA-1024 1013 bits 80 bits 0 bits
RSA-2048 2048 bits 112 bits 0 bits
ECC-256 256 bits 128 bits 0 bits
ECC-384 384 bits 256 bits 0 bits
AES-128 128 bits 128 bits 64 bits
AES-256 256 bits 256 bits 128 bits
Comparison of conventional and quantum security levels of some popular ciphers
Must Balance Cipher and Key Strength
19
Key Management Comparison
Keymanager
Keymanager
Keymanager
Centralized Distributed
Keymanager
Keymanager
CENTRALIZED CRITERIA DISTRIBUTED
Single Points of trust Multiple
Consistent Policy enforcement Inconsistent
Unified Key revocation Uncoordinated
Good Scalability Poor
20
Standardcriteria
Third-partyevaluation
Secure development
Validated against open security standards
The assurance pyramid
Insist on Independently Certified Solutions
Independent certification is proof of due diligence
Developed in accordance with a rigorous manufacturing process
21
Case Studies
5
3
6
1
2
7
4
22
The Need for Secure Transport
Audience Q&A
Nokia Approach
Conclusions
Securing Data at the Optical Transport Layer
Illusion of Security & Key Management
#NetworkSecurity
Security Is Essential to All Mission-critical Networks
• Enterprise WAN
• Government: multi-agency networks
• Smart city infrastructure: IoT
• Financial: advanced branch and banking
• Healthcare: telemedicine, telehealth
• Utilities: smart grid, teleprotection and SCADA
• Transportation: railway signaling, ITS
Legacy systems
Confidentialityintegrity
availability
Security
IP-centric apps
Datacenter
Cloud
23
Case Study 1: Private Mission-critical Network
Key requirements:
• Highly reliable grid communications
• Full support of SCADA and teleprotection
• Secure transport
Solution:
• Provides the highest level of reliability, safety, and security across the entire grid
Converged IP and Optical network
Profile
• National grid operator in Europe connecting over 1,200 nodes for sub-station communications
Solution details
IP-MPLS for SCADA and teleprotection
Secure optical transport with low latency L1 encryption and optical intrusion detection
Nationwide Grid Control Network (GCN)
Generation
Transmission
Distribution
Optical
Cyber security admin
24
Key requirements:
• Low latency for synchronous replication
• High security (encryption)
• Service migration to a new data center
Solution:
• Provides a highly reliable, scalable and secure network supporting all mission-critical applications
Optical transport network combining FOADM, CWDM and DWDM
Profile
• National bank connected to private banks and Eurosystem (European banking network)
Solution details
Scalable network with high SLA supporting mission-critical applications
Low latency Layer 1 encryption for all services
Private network connecting data centers and HQ
Case Study 2: National Bank Mission-critical Network
Cyber security admin
NOC
Data center
Data center Data center
25
Nokia Approach
3
6
1
2
7
5
4
26
The Need for Secure Transport
Audience Q&A
Conclusions
Securing Data at the Optical Transport Layer
Illusion of Security & Key Management
Case Studies
#NetworkSecurity
Nokia Secure Optical Transport SolutionCertified Layer 1 Encryption with Trusted Centralized Key Management
Nokia 1830 Security Management Server
• Effective Layer 1 encryption
• Optical intrusion detection
• Centralized, unified key mgmt.
• Fully independently certified(Common Criteria, ANSSI, NIST)
1830 PSS 1830 PSSencryption card
End-to-end Managed Layer 1 Encrypted Service
MicrowaveNetwork
9500 MPR
27
Conclusions
3
1
2
7
4
6
5
28
The Need for Secure Transport
Audience Q&A
Securing Data at the Optical Transport Layer
Illusion of Security & Key Management
Case Studies
Nokia Approach
#NetworkSecurity
Summary
29
Data breaches pose high risk to corporate revenues and impact credibility and customer trust
Optical transport layer security including L1 encryption provides a first line of defense complimenting security strategies at other layers of the network
Simple, unified key management required: ensure solutions are certified and independently validated
Solutions are available today and are actively being deployed in mission-critical networks
Audience Q&A
3
1
2
4
5
7
6
30
The Need for Secure Transport
Securing Data at the Optical Transport Layer
Illusion of Security & Key Management
Case Studies
Nokia Approach
Conclusions
#NetworkSecurity
Audience Q&AOptical Encryption: First Line of Defense for Network Services
Allen TataraManager
Webinar Events (Moderator)
IHS Markit
#NetworkSecurity
31
Sylvain ChenardProduct Line Manager
IP/Optical Networks
Nokia
Hector MenendezProduct Marketing Manager
IP/Optical Networks
Nokia
Heidi AdamsSenior Research Director
Transport Networks
IHS Markit
Thank YouThis webcast will be available on-demand for 90 days.
For additional IHS Markit events, visit:https://technology.ihs.com/events
Follow us on Twitter: @IHS | @IHS4Tech | @IHS4TechEvents