Interceptor Optical Network Security System. Design Guide. Chapter 4: INTERCEPTOR Optical Network Security System Alarmed Carrier PDS

Similar documents
Interceptor Optical Network Security System. Design Guide. Chapter 3: Choosing between Encryption or a Protected Distribution System (PDS)

SECURITY FOR TODAY S PHYSICAL NETWORK AND DATA TRAFFIC

How To Use A Network Instrument Ntap

Managing High-Density Fiber in the Data Center: Three Real-World Case Studies

Net Optics Learning Center Presents The Fundamentals of Passive Monitoring Access

Upgrading Path to High Speed Fiber Optic Networks

Data Center Topology Guide

10 Port L2 Managed Gigabit Ethernet Switch with 2 Open SFP Slots - Rack Mountable

CADDSTAR V7.0 FEATURES AND FUNCTIONALITY

Security & Surveillance Cabling Systems

How To Create An Intelligent Infrastructure Solution

Perimeter Security System

Optimux-45, Optimux-45L Multiplexers for 21E1/28T1 over Fiber or T3

Cable Network Transparency Fiber Optic Monitoring

SOLUTIONS FOR AN EVOLVING WORLD. T1/E1 and C Fiber Service Units

Instruction Manual RT-94845SL RR-94845SL Forty-Eight Channel Video Multiplexer With Bi-directional Ethernet Data

Optimux-134, Optimux-125

INTRODUCTION TO MEDIA CONVERSION

INTREPID Perimeter Intrusion Detection System

Optimux-34, Optimux-25

Quick Start Guide. Cisco Small Business. 200E Series Advanced Smart Switches

Cisco SFS 7000P InfiniBand Server Switch

Obsolete Fiber Technology? Not in my Data Center!

White Paper. Holocom PDS and Electrical Metallic Tubing (EMT) Cost Comparison of Initial and Retrofit SIPRNet Installations

Industrial RS-232/ RS-422/ RS-485 over Ethernet Media Converter

How To Get The Most Out Of A Pon From Commscope

MPX100 Intelligent Ethernet Test Probe

Optimux-134, Optimux-125

How To Build A Network For Storage Area Network (San)

Table of Contents. Fiber Trunking 2. Copper Trunking 5. H-Series Enclosures 6. H-Series Mods/Adapter Panels 7. RSD Enclosures 8

WaveReady CFM. Optical Link Monitoring System: Continuous Fiber Monitor

Meraki MX50 Hardware Installation Guide

Recession-Proof Consulting Services with CWDM Network Design

Business Customer Demarcation Information

1. Furnish and install faceplate and modular jacks at each single gang outlet as described below:

Increase your network s security by making the right premise cabling decisions

Architectural and Engineering Specification for a Perimeter Intrusion Detection System. FiberPatrol-ZR

c o m m u n i c a t i o n n e t w o r k s

1.3. The network element must have the ability to be configured in a point to point, point to multi point, and daisy chain configuration.

UT Southwestern Medical Center Information Resources Cable Installation Standard

Alliance System Ordering Guide

Top of Rack: An Analysis of a Cabling Architecture in the Data Center

Corning Cable Systems Optical Cabling Solutions for Brocade

Monitoring Underground Power Networks

Gigabit Ethernet Copper-to-Fiber Converters

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

HUBER+SUHNER AG Phil Ward

AMP NETCONNECT Data Center Cabling Solutions

Setting Up and Testing the MAX Hardware

SNMP Management of KIV-19s using the. TELEGRID KIV-19 Remote SNMP Proxy (KRSP TM )

Polymer Coated Fiber Cable (PCF)

ADC Structured Cabling Solutions

Presenters Brett Weiss, Gabe Martinez, Brian Kroeger.

Observer Analysis Advantages

F2400 FOM II Series Fiber Optic Modem Technical Manual

Quick Start Guide. Cisco Small Business. 300 Series Managed Switches

8-port 10/100Base-TX +2-port 100Base-FX Switch. User s Guide

Introducing TransitVUE Perimeter IDS, the most advanced perimeter intrusion detection system available today! Protecting Perimeters Around the World

integrated lights-out in the ProLiant BL p-class system

10G CWDM Conversion Technology

ADC-APC Integrated Cisco Data Center Solutions

Local-Area Network -LAN

FOMi-E3, FOMi-T3 E3, T3, and HSSI Manageable Fiber Optic Modems

Section 21. Telecommunication Hardware. BuyLog Catalog 21-1

Perle Gigabit Fiber to Fiber Media Converters

Innovation. Volition Network Solutions. Leading the way in Network Migration through Innovative Connectivity Solutions. 3M Telecommunications

User Guide. MC100CM MC110CS Fast Ethernet Media Converter. MC111CS MC112CS WDM Fast Ethernet Media Converter

Emerson Smart Firewall

Fiber Optic Cable Assemblies. Pigtails, Jumpers (simplex and duplex), Fanouts, Pre-connectorized Multi-Fiber Cable

High Speed Ethernet. Dr. Sanjay P. Ahuja, Ph.D. Professor School of Computing, UNF

Loop-O9310 4E1 or 4T1 Fiber Optical Mux

Table of Contents. Network Critical NA LLC Tel: Franklin Street, Suite

Power Feeding Equipment for Optical Submarine Cable Systems

Power over Ethernet technology for industrial Ethernet networks

Design Guide. SYSTIMAX InstaPATCH 360 Traffic Access Point (TAP) Solution.

Carrier Ethernet: New Game Plan for Media Converters

Media Converters & Chassis

Modern Data Center needs 10 th of April, Andrew Sedman, RCDD Head of Training and Technical Service R&M

Gigabit Passive Optical Networks

Intelligent Cable Management Systems

SECTION FIRE ALARM AND SMOKE DETECTION SYSTEMS

Data Centers. Mapping Cisco Nexus, Catalyst, and MDS Logical Architectures into PANDUIT Physical Layer Infrastructure Solutions

LANC Fibre Patch Panel Solution

TX2123 RS485 TO ETHERNET ADAPTOR

How To Be Profitable With An Alcatel-Lucent 1655Amu System

How to Determine the Right Fiber Optic Network Backup Switch For Your Application

Central Office Testing of Network Services

Optimizing Infrastructure Support For Storage Area Networks

2G-1.1.0, 200M-2.0.3, 200M-1.0.1

TIA Releases Guidelines for Maintaining Polarity Using Array Connectors

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

How To Use A Ds340 (Dsp)

Physical & Network Security Infrastructure Solutions

NetScanner System. Toronto: , Montreal: , Toll Free: ,

FlexPoint T1/E1 Copper to Fiber Line Driver

IPv6 Broadband Access Network Systems

Migration to 40/100G in the Data Center with OM3 and OM4 Optical Connectivity

FlexWave Prism Host-to-Host Solution: Point-to-Point Digital RF Transport

1.1 SYSTEM DESCRIPTION.1 Data system includes data outlets and wiring for office and school applications.

Network Monitoring - Fibre TAP Modules

Transcription:

Interceptor Optical Network Security System } Chapter 4: INTERCEPTOR Optical Network Security System Alarmed Carrier PDS

Copyright 2010 Network Integrity Systems, Inc. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Network Integrity Systems, Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document. Trademarks Network Integrity Systems, Inc., the Network Integrity Systems, Inc. logo, and Interceptor are trademarks of Network Integrity Systems, Inc. Other brands and product names are trademarks or registered trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, Network Integrity Systems, Inc. reserves the right to make changes to the products described in this document without notice. Network Integrity Systems, Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

The INTERCEPTOR Optical Network Security System is a combination of components which together make-up an alarmed carrier hardened protective distribution system fully compliant with NSTISSI 7003 and the corresponding guidelines of the various agencies and services. At the foundation of the system is the INTERCEPTOR device itself. INTERCEPTOR launches a monitoring signal into a pair of fibers of the optical cable being protected, which turns the entire cable (up to 144 fibers) into a sensor. Specifically, when any component of the cable is abnormally handled, such as would occur during an intrusion attempt, the monitored fibers sense the disturbance and INTERCEPTOR reports the event. INTERCEPTOR uses the standard communications fibers inside the cable to perform the monitoring, no matter whether they are dark (unused) or active (transmitting data); therefore no special sensing fibers are required. The INTERCEPTOR model is used to monitor dark fibers. The INTERCEPTOR Plus model is used to monitor active fibers. INTERCEPTOR incorporates a feature, which is referred to as Smart Filtering technology. This technology is used to enable INTERCEPTOR to autoconfigure itself, meaning that it learns the normal ambient state of the network to create a baseline of normal, routine, benign, non-threatening events such as the vibration caused by a nearby air conditioning unit, vehicle traffic, etc. While monitoring, these normal events are ignored. For most cable designs, monitoring as few as 2 fibers within the cable can protect an entire 144-fiber cable. If ingress into the cable is attempted, the protected fibers will sense the disturbance and issue an alarm. The effectiveness of this is dependent upon the design of the optical cable itself. Some cable designs require monitoring on more fibers than others (for instance an 864-fiber cable). Only a single INTERCEPTOR is needed at one end of the cable being protected. If dark fibers are being monitored, at the far end a simple, off-the-shelf optical loop back device is used in a patch panel to send the monitoring signal back to the INTERCEPTOR. When monitoring active fibers, a single INTERCEPTOR Plus is needed at one end of the cable, however at the far end, a Remote Termination Unit (RTU) is required to separate the monitoring signal from the data signal. At a minimum, a single INTERCEPTOR can provide a secure connection to four separate locations. However, through some simple fiber concatenation methods (i.e. daisy chaining), a single INTERCEPTOR can provide secure connections to many separate locations. The exact numbers of locations a single INTERCEPTOR can connect vary as it is based on the specific network architecture of the deployment. INTERCEPTOR is a physical layer device, and does not touch, process or verify the network data (IP or cell headers) or the National Security Information, therefore no bandwidth bottlenecks are created allowing full utilization of the network up to 10Gbps and beyond. The INTERCEPTOR can be locally managed by serial console, and remotely managed by Telnet or Secure Shell (SSH). The INTERCEPTOR can be accessed via terminal programs such as HyperTerminal or TeraTerm. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 22

Figure 1: Typical INTERCEPTOR configuration when dark fibers are used for monitoring Figure 2: Typical INTERCEPTOR configuration when active fibers are used for monitoring The INTERCEPTOR Optical Network Security System was developed specifically for Information Assurance applications, and in part with Department of Defense funding. It has been deployed since 2003 within the Intelligence community and in support of numerous facilities and installations across the Department of Defense, Department of Justice, Department of Homeland Security and all branches of the United States military. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 23

Alarmed Carrier Components In order to fully understand the various design methodologies and network architectures currently in existence, it is important as a preliminary matter to understand the basic INTERCEPTOR system components and ancillary infrastructure products that would be required to deploy a hardened PDS system in support of a SIPRNet or JWICS network. The INTERCEPTOR comes in two different versions: INTERCEPTOR and INTERCEPTOR+Plus. INTERCEPTOR Photo 1: INTERCEPTOR An optical network security system that can be installed on any fiber optic network either singlemode or multimode that turns fibers inside of the cables into sensors that monitor the physical security of the cable or cables. Thus, once employed, the INTERCEPTOR is constantly looking for any potential tampering or attempts to access the fibers inside of the cable or cables. The basic INTERCEPTOR model only works on dark fibers; the INTERCEPTOR injects the monitoring signal on the dedicated dark strands inside of the cable. Finally, the INTERCEPTOR can be easily installed on either new or existing fiber optic cables. INTERCEPTOR units are available in one, two, or four-port configurations, which are all only one rack unit (RU) in height. Each port can protect up to a 144-fiber cable by monitoring as few as two strands of fiber inside of the cable. For a more in-depth discussion, see the network architecture material in Chapter 5 of this Guide. The basic INTERCEPTOR model is ideal for projects where new cable infrastructure will be installed because extra dark fibers can be planned for and included in those fiber optic cables. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 24

INTERCEPTOR+Plus Photo 2: INTERCEPTOR+Plus This model operates in an identical manner as the basic INTERCEPTOR unit, but it is capable of monitoring both active (or lit ) fibers as well as dark fibers. The INTERCEPTOR+Plus uses an out-of-band wavelength to inject the alarm monitoring signal onto the same fibers that are carrying the classified network traffic. The alarm monitoring signal and the classified data remain completely separate optical signals. Data Data Monitor WDM WDM Monitor Both Single Fiber Figure 3: Graphic of Optical Fiber with two different Signals at 850nm and 1300nm When monitoring active fibers, INTERCEPTOR+Plus units can be configured to disrupt the optical signal upon alarm, thus providing users with an additional level of assurance and protection. For any application where spare fibers may eventually be placed into service, the INTERCEPTOR+Plus provides a very scalable and easy-to-migrate solution. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 25

Optical Loopback When using an INTERCEPTOR with dark fibers, there is no data being carried on the monitored fibers, therefore they do not need to be connected to a switch or terminated in a bulkhead or faceplate. As such, it is possible to consolidate all INTERCEPTOR equipment on one end of the network and loop the monitored fibers at the far end to create a constant optical circuit that originates at the INTERCEPTOR equipment, travels the length of the cable to the loopback point, travels back the length of the cable, and terminates back at the INTERCEPTOR. Patch Bay Patch Bay 1 2 3 4 Fiber Loop Point INTERCEPTOR 100BASE-T Console Fiber Optic Intrusion Detection System Status Local 1 Remote Rx Tx Rx Tx 1 8000-1-U-M6-3S Reset Network Integrity Systems Figure 4: INTERCEPTOR Dark Fiber Installation Options for Creating Figure 2: a Interceptor Fiber Loopback on Dark Fiber Network Several options exist for creating a fiber loopback. Typically the protected cables are terminated at a patch panel, usually in an equipment rack, or a zone box. At that patch panel one of two methods is used to loop back the signal to the INTERCEPTOR: 1. Fiber optic loopback cable (patchcord) 2. Optical loopback connector Patch Panel Fiber Optic Loopback Cable (Patchcord) Optical Loopback Connector Figure 5: Fiber Loopback The cable slack of the patch cord must be secured in the patch panel as it is sensitive and could trigger an alarm if disturbed. While it is a slightly more expensive solution, we recommend the use of the optical loopback connector for it s mechanical stability and the avoidance of cable slack management. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 26

When terminating the cables at the workstation, for instance in a secure lockbox, the loopback is achieved by one of two methods: thru the use of a splice, either fusion or mechanical. Optionally, if the fibers are connectorized, they can be looped by connecting in a barrel sleeve. 1. Optical splice, either fusion or mechanical Photo 3: An elastomeric splice Photo 4: A fusion splice 2. If the fibers are connectorized, connection to a barrel sleeve Photo 5: Connectorization with a barrel sleeve When terminating fibers inside of a workstation lockbox, the methods described above are necessary because a small footprint is required. To secure these parts inside the lockbox, you can simply velcro tie them to the side of the box behind the faceplate, and the user will not be aware that there is anything alarmed or being monitored. It will therefore be completely transparent to these users. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 27

Remote Termination Unit Photo 6: Rack Mounted RTU When using an INTERCEPTOR+Plus on active fibers, an optical loopback cannot be used because there will also be data traveling on those fibers that needs to be optically connected to a switch, patch panel, or faceplate in order for the network to send and receive information. Thus, active fiber monitoring requires an INTERCEPTOR+Plus to be installed on one end of the network, and a remote termination unit, or RTU, to be installed on the other. An RTU is a completely passive device that uses wavelength division multiplexing technology to optically separate the alarm-monitoring wavelength and the wavelength carrying the classified information. The RTU allows the optical wavelength carrying the data to pass through it untouched, while the alarm-monitoring wavelength is separated and then reinserted onto the returning fiber which terminates back at the INTERCEPTOR+Plus unit. Photo 7: Micro-RTU Optical Device Local 1 Tx Rx INTERCEPTOR I O Optical Network Security System Status 1 2 3 4 Local Remote 1 Tx Rx Tx Rx CLASS 1 LASER PRODUCT Reset NIS Micro RTU Remote Local Monitored Pair - Active (Intrusion Detection) Data Wavelength shown in BLUE Monitor Wavelength shown in RED Optical Device Tx Rx Local Figure 6: INTERCEPTOR PLUS+ RTU Circuit RTUs are available in both rack-mount and micro configurations. A rack-mount RTU is a one-rack-unit sized passive device that provides RTU functionality for one,two, or four INTERCEPTOR+Plus circuits. Rack-mount RTUs are commonly used in high density deployments such as storage area networks (SANs) or datacenters. A micro-rtu is a compact RTU that provides RTU functionality for a single INTERCEPTOR+Plus circuit. The small size of the micro-rtu enables convenient mounting in a variety of applications, such as the inside of a zone box, patch panel, connector module housing, or the faceplate of most secure workstation enclosures. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 28

Interlocking Armored Cable Several years ago, a majority of the fiber optic cable manufacturers in the United States began to offer an interlocking armor for their cables that would eliminate the need for first installing innerduct in commercial buildings. The interlocking armor was spirally wound around the entire length of the fiber optic cable, and then a PE or PVC outer jacket would surround the armoring, thus allowing ease of handling, as well as printing cable configuration, footage marks, and date of manufacturing on the outside of the cable per BICSI standards. Essentially, the interlocking armor provides a single piece of aluminum or steel armoring that is wound around the entire length of the cable, which provides end-to-end protection. Since older alarmed carrier technology required an external sensing fiber to be installed adjacent to the cable or cables to be protected, commercial off-the-shelf interlocking armored cables offered little value or added protection, since they would still need to be installed inside of a rigid metallic conduit of engineered raceway. However, since INTERCEPTOR and INTERCEPTOR+Plus units monitor fibers within the cable, interlocking armored cables can be used in CONUS and many OCONUS locations to eliminate completely the need for rigid metallic conduit or engineered raceway systems to be installed for point-to-point, alarmed carrier PDS installations (IAW CTTA guidance). The interlocking armored cable can simply be installed using j-hooks or cable D-rings attached directly to the structure or suspended using all-thread. The only fiber optic cables approved by the CTTAs to be used with INTERCEPTOR or INTERCEPTOR+Plus units are cables that have interlocking armor wound around their entire length. The older BX style of armoring provides insufficient protection and is not approved. A detailed list of the interlocking armor cables that have been tested and approved for use with the INTERCEPTOR can be found at http://www.networkintegritysystems.com. Interlocking Armored Cable To LAN Closet, IPS, Zone Box, or Workstation, etc. Fiber Optic Patch Panel INTERCEPTOR INTERCEPTOR Alarmed Carrier PDS Equipment Figure 7: Interlocking Armored Cable 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information