FIBER OPTICS SEMINAR

8/7/2019 FIBER OPTICS SEMINAR

1/23

SECURING FIBER OPTIC COMMUNICATIONS

AGAINST OPTICAL TAPPING METHODS

Optical tapping devices placed in public and private optical networkstoday allow unfettered access to all communications andinformation transiting any fiber segment. Available legally andinexpensively from numerous manufacturers worldwide, optical taps

are standard network maintenance equipment that are in use daily.When used nefariously, optical taps provide an excellent method ofintercepting voice and datacommunication with virtually no chance of being detected. Intrudersare therefore rewarded with a bounty of relevant information whilesubject to a very low risk of being caught. Optical networkequipment manufacturers do not currently incorporate adequateprotection and detection technologies in their platforms to monitorsuch network breaches in real-time. Network operators thus cannotsafeguard the optical signals on their networks and therefore cannotprevent the extraction of sensitive data and communications.Government networks, while assuredly more secure, are alsovulnerable to certain types of advanced passive and active tappingmethods.


2/23

INTRODUCTION

Fiber optic telecommunications systems make up the backbone ofall modernCommunications networks. Whether voice, data, video, fax, wireless,email, TV orOtherwise, over 180 million miles of fiber optic cables worldwidetransport the ever increasing majority of our information andcommunications. Modern Economies and societies rely on theavailability, confidentiality and integrity of critical fiber optic networkinfrastructures to function properly and efficiently.

With the initial introduction of fiber optic telecommunicationssystems came the belief that fiber-based transmissions areinherently secure. It has since been proven that not only are fiberoptic systems simple to tap, but in many respects they are simplerto tap than their copper-based predecessors. Furthermore, tappedoptical networks revel much greater pertinent information in a moreorderly and digitized manner. In fact, many fiber optic taps arestandard network maintenance equipment used daily by carriers

worldwide. Used illicitly, however, such devices allow the extractionof all voice and data communications in the fiber plant with little orno chance of detection


3/23

This is achieved because the light within the cable contains all theinformation in thetransmitted signal and can be easily captured, interpreted andmanipulated with

standard off-the-shelf tapping equipment.

A GENERAL STATISTICS

Today we live in a society where corporate espionage has becomean international sport. As communications using fiber optics become

increasingly ubiquitous, so too does the potential for the illegatapping and stealing of confidential and commerciallysensitive data. It is estimated that over $100 billion was lost to U.S.companies alone in 2000 due to corporate espionage activities,whereas $20 billion was lost through purely technical meansInternationally over 100 foreign government agencies routinelyobtain and provide sensitive information on companies to their owndomestic firms.

Particularly problematic is the fact that the vast majority of opticaltaps persistcompletely undetected, as carriers and most enterprises today donot employ adequatetechniques to monitor, detect and protect data on their opticanetworks. Clearly in


4/23

such an environment, fiber optic networks, which are the lifeblood ofall communications and data transfer in modern society, are realtargets for attacks.

FIBER OPTIC COMMUNICATIONS

Optical fibers are dielectric wave guiding devices used to confineand guide light. These cables are typically constructed of silica glass coresurrounded by a cladding,which is then protected by a jacket. While cladding is typically alsomade from a silicaglass, some applications utilize plastic or doped silica. Regardlessof material, inorder for internal refraction and propagation of the light through theoptical fiber, the claddings refractive index must be lower than thecore to satisfy Snells Law. Theprimary function of the jacket is to protect the fiber from damage.

Diagram 1: Standard cross-section view of an optical fiber.


5/23

Communications using optical fibers have several attractive featuresand advantages

over other communications systems. These advantages include:

Greater bandwidth and capacity

Electrical isolation

Low error rate

Greater immunity to external influences

Greater immunity to interference and crosswalk

Fiber optic communication systems have been increasingly deployed

intelecommunications systems, as their high bandwidth has allowedthem to replacecopper at an initial rate thousand copper wires. Advances in DWDMhave continued to push such ratios even further .

METHODS OF TAPING

There are various fiber optic tapping methods, but most fall into thefollowingmain categories:

Splice


6/23

Splitter or Coupler (Variable)

Non-touching methods (passive and active)

SPLICE:

The simplest method of tapping is by splicing the optical fiber brieflyandinserting equipment to allow for the signal to transit to the end partywhile also beingintercepted by the intruder. Optical splices do provide a momentary

lapse of data while the fiber is not operational. Carriers do not,however, have the real-time ability to locate fiber breaks and mustthen usually roll-out trucks, technicians and insert additionalexternal equipment. Thus, if downtime is short, many operators willattribute the disturbance to a network glitch and allow data transitto continue, unaware that a tap has been placed. Most off-the-shelftapping equipment today, however, does not interrupt the signaland thus the splicing method is not preferred.

SPLITTERS AND COUPLERS:


7/23

Such methods allow the tapping of an optical fiber without actuallybreaking the fiber or disruptingthe data flow. One of the lesser-known properties of optical

fibers is that light is easily lostfrom both the jacket and thecladding of the fiber,particularly if the fiber is bent,or clamped, in such a way thatmicro-bends or ripples are formed in its surface. Perhaps thesimplest example of such phenomena is that one is able to see thelight in an optical fiber if one holds an optical fiber in ones hands.

Just as simply as one sees the light (as ones eyes are after albiological optical detectors), so does the equipment designed to

interpret it. In reality, all that is required to extract all of theinformation traveling through an optical fiber is to introduce a slightbend into thefiber, or clamp onto it at any point along its length, and photons oflight will leak intothe receiver of the intruder. In fact, many optical fiber testinstruments are designed specifically to take advantage of this factFor example, below is a commonly available Optical Fiber Identifierthat is used to determine the direction of an optical signal, without

the need to remove the jacket. Other passive, non-intrusive tappingdevices are also shown.


8/23

COMMERCIALLY AVAILABLE TAPPING DEVICE

For determining signal direction Polarization maintaining variable ratio evanescent wave

coupler Micro-bend clamping tapping device Macro bend tapping device


9/23

(a) (b)

(c) (d)

NON-TOUCH METHODS:

Numerous methods of tapping optical fibers exist without the needto actually touch the fiber or steal light from the fiber plant. Some

methods, while having been around for over a decade, have recentlybeen published in the public domain and arenow accessible worldwide by anyone who has access to an Internetconnection. Arecent U.S. Patent (6,265,710), as well as European Patent (0 915356), issued toDeutsche Telekom, describes in detail a method or device forextracting signals outof a glass fiber without any detectable interference occurring, in

particular withoutthe signals propagating through the glass fiber experiencing anytransmission lossMore advanced non-touching active taps in contrast inject additionalight into the fiber plant and are able to deduce the underlyingoptical signal by gauging certain interactions between the two. Suchnon-touching taps are primarily undetectable and thus, without the


10/23

proper physical-layer optical signal protection in place, data may beintercepted indefinitely without notice by the network operator orend-user.

PROTECTION METHODS

RFTS

INTRUSION DETECTION SYSTEMS

ENCRYPTION PHYSICAL-LAYER SECURITY

BREACH LOCALIZATION

OUTPUT OPTIMIZATION


11/23

RTFS

Radio Frequency Testing Systems (RFTS) are an effective meansof scanning multiple dark fibers for route integrity prior to theoptical fibers being lit. While certain types of discrepancies may befound, which could correlate to already placed taps, RFTS onlyoperate on dark fibers prior to service. Thus, once an RFTS isdismantled and a fiber is lit and in service, no form of even basicintrusion detection isleft available. Furthermore, the optical signals on the lit fiber are inno way protected , so that an optical tap can readily extract data

without the possibility of being detected. In short, an RFTS mayprovide some protection to optical network assetsprior to going into service, but once in service and producingrevenue, those assetsare wide open to manipulation via optical taps.

INTRUSION DETECTION SYSTEMS

Intrusion detection systems may operate on the data layers or onthe physical-layers. What most people understand as intrusiondetection systems actually operate at the data-layers and offer noprotection against optical taps. Intrusion detection systems thatoperate at the physical-layer are in fact useful in detecting if certaintypes of optical taps may have occurred. They do not, however,actually protect the underlying data at all, and thus such data maysuccessfully still be extracted. Furthermore, intrusion detectionsystems are prone to human error, as alarms must be correctlyinterpreted and acted upon, otherwise unprotected data maycontinue to be tapped. In fact, non-touching optical tapping methodsare by definition not detectable, and thus if the data itself is notprotected, it may continue to be extracted indefinitely without anynotice. Thus while physical-layer intrusion detection systems play animportant role in fiber optic security in general, they serve moreefficiently as part of a comprehensive security and monitoring


12/23

package, which also incorporate other effective data and fiberprotection mechanisms.

ENCRYPTION

While encryption is an effective means of scrambling data point-topoint on a network, it does not solve the problem of optical taps.Specifically, it does not protect the physical transport layer of thenetwork, nor can it detect when an optical tap has been placed,what type of tap it might be and exactly where such a tap is locatedin the fiber plant. Without the ability to detect and locate a potentialintruder, effective law enforcement actions are not possible.

Therefore intruders are not only capable of continually andindefinitely extracting data in an undetected manner, but they arealso in the position to insert further optical taps into other networksfor additional gain in a relatively low-risk environment. Encryption isalso by definition a mathematically solvable algorithm with apredefined set and one correct key, which through various methodscan be derived. So called unbreakable encryption methods havethroughout history time and time again been broken with ingeniousmethods, faster processors, new technologies and simple brut force.Many decryption hardware and software tools for hackers are widelyavailable and are quite successful at allowing unfettered access todata. Such examples include digital scanners for cell phones, DVDdecoders, WiFi descramblers, and the like. Encryption also has anassociated high cost of ownership, as the difficulties in implementingand maintaining it across an entire enterprise are prohibitive.Usability is also an issue as interoperability to other externalorganizations is not possible without proper planning and agreementon the types of encryption standards to attempt to use. Asencryption is not a transparent security technology, users must

learn various interfaces, which are not standardized acrossapplications orplatforms. Even then, encryption is only effective if keys arefrequently updated andpasswords are not simple to guess or find on or around workstationdesktops. Large


13/23

corporations with offices across the globe must also address variousgovernmentexport and import laws regarding encryption technologies, as well asgovernment or 3rd party key depositories schemes. Encryption has

therefore experienced arelatively low implementation rate and virtually all voice traffic andthe vastmajority of data traffic is simply not encrypted today. The smallamount of trafficthat is encrypted, however, must have unencrypted headers in orderto successfullytransit and be switched in the public networks. Thus, traffic analysiscan derivelarge volumes of useful data and encryptedpackages between two

parties actually serve as a red-flag for information that is potentiallyhighly useful and may warrantthe effort to decrypt offline. Developments in quantum encryptionhave made headlines recently. It is important to note that while suchefforts do protect theoriginal encryption key when initially in transit, once a session isestablished, theactual information is sent in a normal encrypted format that is stillsusceptible to

all the typical issues of encryption and likewise can be decrypted.Therefore, while encryption may serve as a useful deterrent at thedata-layer in general,a second complimentary line of defense at the physical-layer isrequired to truly protect against optical taps.

PHYSICAL-LAYER SECURITY

Completely secures fiber optic transport layers (0, 1) making datavirtually impossible to recover and read. Typically, Layer 1 security has

been focused on the limiting of access to cables and network equipment by placing

them in locked or hard-to-access

locations. Encrypting data at the transmission source ensures that it is secure even if

the fiber optic lines themselves are tapped. There is a need of scalable performance


14/23

and seamless end-to-end integration to deliver improved network operations and

performance without compromising security. federally endorsed AES algorithm, with

the flexibility to be integrated into any OC192/STM64 (10 Gbps) network, The AES

(Advanced Encryption Standard) algorithm was adopted by the National Institute of

Standards and Technology (NIST) as U.S. FIPS PUB 197 in November 2001 after a

5-year standardization process, replacing the then standard DES (Data Encryption

Standard) algorithm. AES supports 128, 192 and 256 key lengths and, as declared by

the U.S. government, is sufficient to protect classified information up to the SECRET

level

BREACH LOCALIZATION

Calculates the exact position of such events along optical fibers in

real-time. Law enforcement actions against perpetrators are nowenabled for the first time through proactive integrated means.Maintenance and repair actions are also more targeted andeffective.

OUTPUT OPTIMIZATION

Software management limits the overall available light in a fiber

plant to the exact fiber span length. Acceptable signal-to-noise-ratios and bit-error rates are software programmable, allowing forrobust optical links while limiting, however, the superfluous lighttypically found in fiber plants, which would otherwise provide furthermeans of exploit through optical taps.

SOME IMPROVMENTS

STAND-ALONE DEVICE


15/23

When implemented as a stand-alone device, interoperability withany manufacturers equipment is ensured. The successful insertioninto multi-vendor networks help protect network operators fromfinancially troubled vendors and those not pursing optical security

and monitoring functionality in their current or future product lines.Such devices sit at either end of a given fiber optic segment toprovide security, monitoring, intrusion detection and maintenancecapabilities to that specific route. At either end, each deviceoptically interfaces with already existing multiplexorand transceiver card equipment, which otherwise does not supportsuch optical security and monitoring capabilities. NetworkManagement and Administrationoccurs through a standard SNMP or other similar interface. Multi-vendor interoperability in particular allows network operators to

incrementally add such required optical security and monitoringcapabilities to their already existing infrastructures .Networkoperators are thus not hampered by feature restrictions on currentvendor equipment, limited configurations for security, networkmonitoring limitations or other constraints.

TRANSCEIVER CARDS

When implemented at the transceiver card level, Stand AloneDevicetechnology takes advantage of already existing optical and electricacomponents inthe transceiver cards and their accompanying multiplexors or otherterminal quipment. Transceiver cards aret he least expensive, mosteasily swappable components in an optical network, and due to thelife of laser components, need to be replaced more frequently thanother networking equipment. Thus network operators may replaceexisting non-secure transceiver cards in multiplexors and switcheswith secure


16/23

transceiver cards containing Stand Alone Device technologies,either proactively in routes where need demands or through regularattrition. The cost differential between a current non-securetransceiver card and a secure transceiver card implementing Stand

Alone Device technologies is the relatively minor incrementacomponents cost, as well as other fixed costs such as upfront designand related licensing fees, which can be spread across the productline. Even though the input and output electronic data streams tothe multiplexors and switches remain the same, the lighttransmitting the data is in a patented secure phase modulatedformat different from any commercially available products. Becauseof the format of the light, Stand Alone Device technologies aretherefore able to provide an extremely precise and sensitive tapdetection system, which would not function with existing common

equipment utilizing insecure amplitude or intensity modulatedsignals. Furthermore, Stand Alone Device integrates an Optica

Time Domain Reflectometer (OTDR) to instantaneously locate theexact source of an intrusion or maintenance event and determine itsorigins, such as an actual tap, a physical line break, or even simplefiber degradation. Such features also allow a carrier to more cost-effectively maintain and operate their fiber network. Depending onthe type of breach event, the most appropriate resources may beallocated to alleviate the situation, whether it is a maintenance

action or a law enforcement action driven by an actual intrusion.Network operators may therefore offer corporate clients a muchmore robust and secure network, which is completely protectedagainst optical taps and continuously monitored 24/7/365. Suchvalue-added security, monitoring and intrusion detection servicesdemand a premium and would be a welcome addition to the currentweak environment in the telecommunications industry. OysterOptics technology thus manipulates the underlying characteristicsof the light waves in such a manner, that when attempting to tap anoptical fiber protected by Oyster Optics technologies, it is virtuallyimpossible to obtain information and to attempt to do so without thedetection and localization of the intruder. Oyster Optics uniqueensemble of security, monitoring, intrusion detection and breachlocalization technologies at the physical transport layer providescarriers, vendors and end-users with an unparalleled new securityoffering.


17/23

TRANSCEIVER EQUIPMENT INTERFACES

For a transceiver card implementation to leverage the advantages ofStand Alone Device technology in a network, an upgrade to theexisting embedded host platform software, network managementsoftware, and provisioning software should be implemented. The

embedded host platform (i.e.: multiplexor, switch, or otherequipment) and network management software upgrade consists ofmanaging, controlling, and the automatic interpretation of theresults from the intrusion detection alarm and embedded Optica

Time Domain Reflectometer (OTDR). Network provisioninsoftware upgrades will highlight routes that are protected by OysterOptics technologies vs. unprotected routes, allowing carriers tooptimize the rollout and support of new optical security andmonitoring services in their networks. Nonetheless, because Oyster

Optics technology is backwards compatible with existingtelecommunications equipment, it is possible for carriers to installand operatetransceiver cards with Oyster Optics technologies in a non-securemode withoutrequiring all necessary software updates to be in place. As acarriers normally scheduled software upgrades occur, the new


18/23

security, monitoring and intrusion detection services can beautomatically turned-up remotely to allow fast rovisioning tocorporate and government customers. Oyster Optics can alsoprovide hardware and software support services during equipment

design and integration with a carriers selected equipment vendors


19/23

OPTICAL NETWORK CONFIGURATIONS

Secure transceiver cards with Oyster Optics technologies can beimplemented in allmodern network architectures. Recent advancement such as all-

optical switching,DWDM, integrated optical components and tunable lasers may alsotake advantage ofOyster Optics patented technologies, which can be integrated intothe relevant transceiver cards, modules, sub-systems, or stand-alone


20/23

CONCLUSIONS

Communications are an essential factor in todays moderninformation technology andservice based economies. Global commerce is dependent upon thecriticalcommunications infrastructure and relies on the availability,confidentiality and integrity of data and voice transmissionSensitive communications and information, which are illegitimately

extracted from public and private networks, can be used illicitly forfinancial, political or other gain. Global competitors increasinglyseek competitive advantage, confidential information, financial gainand proprietary market intelligence through such nefarious means.Optical networks have proven adept at transporting massiveamounts of information cheaply and efficiently around the world.

Todays communication networks of all types consist of fiber opticnetworks at the core and spreading out towards the edges. Furthertechnological advances and price reductions have brought opticafibers to most corporate buildings and over time are working their

way to the final edges of the network, onto the desktop and eveninto more affluent residential neighborhoods and residences

Todays corporations, and indeed the economies they support, relyheavily upon the communications services provided by opticanetworks. Optical tapping methods enable the extraction and sortingof large volumes of voice and data transmitting an optical fiber


21/23

Media of all types are essentially digitized, organized andtransmitted across optic networks via well documented standardizedprotocols. The inherent insecurity of fiber optics, and the belief thatthey are indeed secure, is perhaps one of the greatest

misconceptions in the communications industry today. Corporations,governments and other organizations, which choose to ignore theseunseen dangers, stand to face potentially significant losses, undueexposure and brand dilution long-term. Carriers must also addressthese blatant network vulnerabilities and offer rotation andcontractual assurances against optical taps to their customersGovernments must better protect their networks from all types ofoptical taps, reactively pursue and apprehend those who utilize suchmethods illegally, and help educate and empower organizations andcitizens against such real threats. Those groups not willing to

address and correct the issues surrounding optical tappingtechniques will find themselves at a distinct competitivedisadvantage long-term from a financial and risk exposure point-ofview. Highly sensitive intrusion detection technologies monitor theoptical fiber for network intrusions, identify the type of breach, andlocate the position of the disturbance in the fiber plant in real-time,allowing the apprehension of intruders. Output optimizationtechnologies further greatly limit the available light a potentiaintruder would have at their disposal thus increasing their risk of

discovery.

TABLE OF CONTENTS

1. INTRODUCTION. 1

1.1 A GENERAL STATISTICS... ..2

2.FIBER OPTIC COMMUNICATIONS3

3. METHODS OF TAPING..4

3.1 SPLICE..4

3.2 SPLITTERS AND COUPLERS5

3.3 NON-TOUCH METHODS.......................................................................................5


22/23

4. COMMERCIALLY AVAILABLE TAPPING DEVICE..6

5. PROTECTION METHODS.8

5.1RTFS......8

5.2INTRUSION DETECTION SYSTEMS....8

5.3ENCRYPTION..9

5.4PHYSICAL-LAYER SECURITY.10

5.5BREACH LOCALIZATION.10

5.6OUTPUT OPTIMIZATION..11

6. SOME IMPROVMENTS 11

7. STAND-ALONE DEVICE...11

8. TRANSCEIVER CARDS.12

9. TRANSCEIVER EQUIPMENT INTERFACES...13

10. OPTICAL NETWORK CONFIGURATIONS15

11. CONCLUSIONS..17


23/23

Documents

FIBER OPTICS SEMINAR