Can you afford to operate your optical network without Layer 1 encryption?

Mind the security gap!

Fiber optic transmission systems offer high-bandwidth connectivity crucial for communication services that underpin our economy, society and administration. However, rising cyber threats increasingly jeopardize the privacy and integrity of mission-critical data. As the Snowden revelations have highlighted, large-scale interception of optical fiber is a significant threat, making it essential to implement measures to protect data in motion.

There are several options available. You can protect your traffic at the endpoint by encrypting user data for each application and service individually. Alternatively, you can secure aggregated traffic at a lower network layer, such as the optical Layer 1, combined with robust perimeter protection. Both approaches are widely used. In this blog post, I’ll focus on the value of optical protection, compare it with encryption at higher layers and provide best practice guidance.

Optical encryption with OTN

Standard compliance is a proven method to ensure networks are cost-efficient and future-proof. Optical Transport Network (OTN) is the preferred, ITU-standardized protocol used in optical transport systems. OTN standards encompass mapping schemes for common interfaces such as IP, Ethernet and legacy SDH. Additionally, OTN can accommodate application-specific protocols used in data centers, storage area networks or professional video studios.

OTNSec, the Layer 1 encryption of optical OTN channels, protects the complete payload, making it agnostic to the interface protocol being transported. Consequently, Layer 1 encryption can be applied to a wide range of applications, especially when a mix of different protocols needs to be supported. A single Layer 1 encryptor can protect the aggregated traffic of multiple different interfaces, making it the preferred solution for connecting data centers and storage area networks.

Lowest latency multigigabit encryption

Optical transport systems can carry several 100Gbit/s of data per wavelength. Using AES-256 as a stream cipher, this vast amount of data can be encrypted with ultra-low latency. In contrast, MACSec and IPSec, which operate at lower data rates and sometimes use software encryption, result in significantly higher latency. Due to the pragmatic and straightforward mapping, combined with the high bandwidth of optical channels, the latency of Layer 1 encryption is extremely low, achieving nanosecond values. Therefore, optical encryption is ideally suited for time-sensitive applications such as finance and data-center synchronization.

Bandwidth efficiency of Layer 1 encryption

AES-256 is utilized for encrypting traffic with OTNSec, MACSec and IPSec, ensuring consistent robustness of encryption algorithms across different layers. However, the way encrypted data is mapped into payloads varies. Higher layers incur more overhead bytes compared to OTN, which employs a transparent, zero-overhead, one-to-one mapping along with using the integrated OTN auxiliary channel for key exchange. As a result, Layer 1 encryption offers superior bandwidth efficiency and resource utilization.

Comparing encryption at Layer 1, 2 and 3

Mobile workers and IoT devices often connect to central offices and the cloud via untrusted public IP networks, which are best secured with IPSec. For large and mid-sized business locations, Ethernet is the preferred protocol, making MACSec the most efficient way to protect the access link. Optical encryption at Layer 1 is employed between major sites, such as data centers, core routing sites or central offices. The encryption of the access linkis complemented by robust perimeter protection to ensure comprehensive security.

A single encryptor at a lower network layer can protect the aggregated traffic of many higher layer connections, offering a more cost-efficient solution compared to securing individual connections. However, this method doesn’t secure the final hop from the aggregator to the endpoint of the individual connection. That’s why this final hop must be operated within a well-protected perimeter. 

Layer 1 encryption is the preferred solution for operators who own fiber networks and need to connect a limited number of major sites using a diverse set of protocols. This approach is particularly relevant for content service providers and utilities managing their core networks, among others.

Obscuring usage patterns

Unlike IPSec and MACSec, Layer 1 encryption protects the full payload, including IP and MAC addresses, thereby concealing all metadata from potential eavesdroppers. This means attackers can’t gain any information about communication patterns or relationships between connected users and applications. Obscuring such traffic characteristics provides significant advantages for high-security and mission-critical operations.  

Certifications and approvals

Security is built on trust. Certifications and approvals from credible, accredited agencies and governmental bodies are essential in the high-security market. Layer 1 encrypted solutions must be FIPS certified and, for government and defense applications, approved for the transport of classified information by a governmental security agency such as the German Federal Agency of Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI).

Summary

Mission-critical applications demand secure communication. Encryption can be implemented at different network layers, each offering unique advantages. Layer 1 encryption stands out as the optimal solution for high-bandwidth site-to-site protection, offering the lowest latency, metadata obscuring and multi-protocol capability. When applied with OTN, optical encryption is easily implemented in standardized, widely adopted networking technology. Key applications include secure connectivity among data centers and storage area networks, as well as protected, high-bandwidth networks for high-security markets such as defense, government and critical infrastructure.

Adva Network Security offers a portfolio of Layer 1 encrypted DWDM solutions, approved by the BSI for the transport of sensitive data classified as EU/NATO Restricted and Confidential.