Evolving Optical Transport Network Security

1

Copyright © 2012 All Rights Reserved.

Copyright © 2012 All Rights reserved

Evolving Optical Transport Network Security

May 15, 2012

Prepared by: John Kimmins Executive Director 732-699-6188 [email protected]

2


• Overview of Optical Communications and Transport Networks

• Evolving Transport Network Technology • Potential Security Issues • Security Risk Management

Outline

3


• Exploding bandwidth demands − Annual growth of 50% or more to support services such as

− 3G and 4G wireless (backhaul) − Streaming video − Cloud services − On-line gaming

− Capacity of optical systems is hundreds of times greater than that of electrical or radio-wave systems

• Need for agility, scalability and sustainability to meet rising customer expectations − Shift from relatively static TDM-based services to rapidly changing

IP/Ethernet-based services

Drivers for Optical Communications

4


Optical Communications Stack Options

Transported Traffic (voice, video, data)

Optical Fiber

Optical Fiber Cable

Ethernet SONET Fibre Channel


OTN

WDM (typically DWDM)


FDDI

Inside Plant Outside Plant

5


Illustrative Physical Network View

Core/Long-Haul (undersea and terrestrial)

Distribution/Metro

Access/ Last mile

6


• Automatically Switched Optical Network (ASON) is an emerging control plane technology that − Automates discovery and provisioning of network resources and

connections − Allows for customer control over optical network connections − Permits dynamic policy-driven network control

• Transport network changes are initiated by a customer or management system

• Signaling controls the creation and removal of connections • Customer connects to the transport plane through a physical

interface and communicates with the control plane via a User Network Interface (UNI)

Evolving Transport Network Technology - 1

7


• Automated provisioning allows for − Dynamic bandwidth allocation based on demand − Quick end-to-end connection setup and teardown − Efficient rerouting and resource usage − Reduced labor costs associated with manual tasks and

customer/service provider interactions − Time-efficient response to changing customer needs

• ASON also supports − Connection protection and restoration − Address and wavelength assignment − Traffic engineering − Many Quality of Service (QoS) levels − Multiple types of traffic (though it may be optimized for IP)

Evolving Transport Network Technology - 2

8


• Service demarcation points are where call control is provided • Inter-domain interfaces are service demarcation points

ASON Architecture Interfaces

9


• User-Network Interface (UNI) − Separates the concerns of the user and

provider

− Enables client-driven end-to-end service activation

• External Network-Network Interface (E-NNI) enables − End-to-end service activation

− Multi-carrier and vendor inter-working

− Independence of survivability schemes for each domain

• Internal Network-Network Interface (I-NNI) supports − Intra-domain connection establishment

− Explicit connection operations on individual switches

• UNI and E-NNI are supported by a family of ITU-T and OIF signaling protocols

• I-NNI is considered proprietary

ASON Network Interfaces

NE Provider A Provider B E-NNI

NE NE NE

Domain 1

Domain 2E-NNI

I-NNIE-NNIDomain 1

Domain 2E-NNI

I-NNIE-NNI

UNI UNI-C UNI-N

UNI UNI-N UNI-C

10


Growth of the Security Threats

1

High

Low

1980 1985 1990 1995 2000

Soph

istic

atio

n

cross site scripting

password guessing self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits back doors

hijacking sessions

sweepers

sniffers

packet spoofing

graphic user interface

automated probes/scans

denial of service

www attacks

“stealth” / advanced scanning

techniques

burglaries

network mgmt. diagnostics

distributed attack tools

Advanced Persistent Threat

Supply Chain Counterfeits

2012+

RSA Compromise

Sophistication Of Available Tools/Attacks

Growing Botnets Mobile Malware

? Stuxnet

11


• Increases the exposure of the core optical transport network − With new user interface, unauthorized bandwidth requests may

enable denial-of-service attacks − New routing protocols may not be sufficiently protected and create

network instability − Network forensics may be more difficult in a dynamic environment − Connections may be temporarily set up to support potential attacks

and then disappear

• Gateway products will be emerging to mediate network access − Testing of security features will be required to determine protection

level

Emerging Risks & Impacts

12


Security Risk Management Roadmap

Current Network Infrastructure

New Customer Services

Assess Security • Address risk • Platforms,

applications, NEs & interfaces

• Process flows • Security architecture • Security management

New Network Technology

Insertion

Evolving Network

Infrastructure

Procurement Process Controls

• Vulnerability Mitigation

• Processes • Security design • Operations testing &

turn-up

New Services Rollout • Controls process • Vulnerability

assessment • Procedures • Training • Service testing &

turn-up

Threat & Vulnerability • Monitoring • Patch management • Periodic

Vulnerability assessments

• Training

13


Powerhouse Research. Practical Solutions.

Evolving Optical Transport Network Security

Documents

Transcript of Evolving Optical Transport Network Security