Interceptor Optical Network Security System } Chapter 3: Choosing between Encryption or a Protected Distribution System (PDS)
Copyright 2010 Network Integrity Systems, Inc. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Network Integrity Systems, Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document. Trademarks Network Integrity Systems, Inc., the Network Integrity Systems, Inc. logo, and Interceptor are trademarks of Network Integrity Systems, Inc. Other brands and product names are trademarks or registered trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, Network Integrity Systems, Inc. reserves the right to make changes to the products described in this document without notice. Network Integrity Systems, Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
This section of the is primarily intended for readers who are still uncertain about whether they should use encryption or a PDS, which are both approved options for protecting National Security information, or are trying to decide which type of a PDS to install. This section details some important criteria and factors that should be considered as part of the Information Assurance decision-making process. Thus, if the decision has already been made to utilize INTERCEPTOR as the PDS solution at your facility or on your network, skip to Chapter 4 of this Guide, which provides crucial details concerning the implementation of an INTERCEPTOR system. Key Decision: Whether encryption or a PDS provides the ideal solution for your particular network and application. Classified national security information must be protected. The primary protection methods include either: 1. NSA-approved, Type-I, in-line network encryptors, or 2. PDS systems. With the increased deployment of SIPRNet and JWICS, there are often significant economic, technical, and operational considerations that make a PDS a better solution than encryption for secure network deployments inside of a facility or across a campus or installation. Economic Considerations Associated With Encryption First, encryption requires an in-line encryptor to be installed on each end of the network. These encryptors individually cost about $9,000*. Therefore, the total cost of a single protected circuit is between $9,000 and $18,000*. Second, Type-I encryptors are COMSEC controlled items that must be secured in either CAAs or GSA-approved information processing system (IPS) security containers, such as a safe or a vault. Usually, one encryptor is contained in the red/black equipment room (an area where encrypted information arrives at a facility to be distributed unencrypted throughout the local network, which is usually a CAA), but the other encryptor is typically at a workstation, office, or conference room which is not a CAA; therefore, an IPS vault becomes necessary. The average cost for an IPS safe is between $4,000 and $18,000*. When deploying SIPRNet to multiple offices or locations in a facility, the encryptor and IPS costs accumulate quickly. *Published prices as of January 2010. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 9
Technical Considerations Associated With Encryption A Type-I encryptor protects data on a single two-fiber connection or circuit, whereas a PDS system protects all of the fibers, and in the case of Dense Wavelength Division Multiplex (DWDM) systems, all of the wavelengths, in the cable or cables within the PDS. Further, traditional Type-I encryptors also limit bandwidth to 100Mbps. Newer encryptors provide up to 1Gbps, but cost in excess of $25,000* each. With network speeds increasing to gigabit ethernet and beyond, 100Mbps encryptors create a sizeable bandwidth bottleneck. If the encryptors are configured in a point-to-multi-point configuration, then multiple encryptors share the 100Mbps, thus making the bottleneck increasingly restrictive. Finally, it is expected that DWDM (dense wavelength division multiplexing) technology will migrate into more data center/lan applications over the next few years to enhance the bandwidth of fiber optic networks. Whereas a Type-I encryptor will be required for each wavelength on each fiber being used for secure traffic, a single Interceptor port protects the entire cable, every fiber in it, and every wavelength on each fiber. Figure 1: Example of bandwidth degradation with multiple uplinks to users Mission-critical networks differ greatly from commercial networks in that when there is a crisis or combat operation, everyone is using the network. In these situations, when the network is needed the most, bandwidth bottlenecks will hurt the most. *Published prices as of January 2010. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 10
Operational Considerations Associated With Encryption In order to procure COMSEC items, government agencies must have the necessary authorizations on their COMSEC accounts. They also must closely monitor, track, and protect COMSEC items. Additionally, Type-I encryption is based on a public key infrastructure (PKI), which requires extensive user management and configuration. PKI management is a significant COMSEC and administrative function that many units simply cannot absorb or tolerate. Finally, as a COMSEC item, many encryptors have a six-or-more-month lead time once COMSEC authorizations are approved and MIPRs are processed. Many agencies or DOD units cannot wait that long. Key Decision: If these considerations do not present issues for you or do not create any concerns for the performance or scalability of your secure network, then encryption could be a workable solution for your network and application. However, if some of the considerations do indeed create concerns, then deploying a PDS system in place of encryption is likely the more prudent decision. For questions or additional guidance, please contact the CTTA that provides oversight to your organization. Protective Distribution Systems PDS systems are used to transmit unencrypted, classified national security information through areas of lesser classification or control. Since the classified information is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. PDS systems are not designed to prevent occurrences of tampering or penetration; rather, their primary purpose is to facilitate detection as soon as possible after they occur. Any PDS system can be compromised or penetrated given the opportunity and an adequate amount of time. There are two categories of PDS of which we will discuss the first: 1. Hardened Distribution Systems 2. Simple Distribution Systems Hardened Distribution Systems provide significant physical protection and can be implemented in one of three forms: 1. Hardened Carrier System 2. Alarmed Carrier System 3. Continuously Viewed Carrier System Hardened Carrier Systems In a Hardened Carrier System, the data cables are installed in a carrier constructed of electrical metallic tubing (EMT), ferrous conduit or pipe, or ridged sheet steel ducting. All of the connections in a Hardened Carrier System are permanently sealed completely around all surfaces, for instance with welds or epoxy. If the hardened carrier is buried under ground, for instance to secure cables running between buildings, the carrier containing the cables should be encased in concrete. In a Hardened Carrier PDS, detection is accomplished via the human inspections that are required to be performed periodically. Therefore, a Hardened Carrier System must be installed such that it is capable of being visually inspected (for instance below the ceilings and above the floor) to insure that no intrusions into it have been made. These periodic visual inspections (PVIs) occur at a frequency dependant upon the level of threat to the environment, the security classification of the data and the access control to the area. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 11
There are basically two forms of Hardened Carrier PDS: 1. Systems custom constructed of Rigid Metallic Conduit or EMT 2. Aesthetically Engineered Raceway Photo 1: EMT Traditional Hardened Carrier PDS: Rigid Metallic Conduit / EMT In accordance with NSTISSI 7003, a ferrous, rigid metallic conduit system with epoxied fittings is required for any hardened carrier PDS systems in order to protect against overt, covert, and surreptitious attacks. As such, the traditional hardened carrier PDS system that has been deployed for decades is electrical metallic tubing (EMT) conduit and fittings. When SIPRNet and JWICS requirements were isolated to only a few facilities on a base or agency, installing EMT was a fairly minor concern. However, now that SIPRNet is being deployed in an increasingly large number of facilities including those that are newly constructed installing EMT throughout is neither desirable nor practical. When EMT is installed along a hallway or in an office, it significantly detracts from the environment and the aesthetics of the particular facility. It also requires extensive labor and installation, since the EMT system must be custom installed into each room or hallway. Finally, once installed, the EMT system is not easily scalable to meet any new requirements that may come into existence in the future. Many government agencies are moving away from using EMT for PDS systems as part of the recent focus on green building criteria and LEED credits for facility construction. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 12
Photo 2: Engineered raceway Traditional Hardened Carrier PDS: Aesthetically Engineered Raceway Due to growing concerns about the use of rigid metallic conduit or EMT for PDS systems, a few commercial companies engineered a new raceway system that was aesthetically neutral (i.e., painted and designed to blend into the hallway or office) and re-enterable to facilitate possible moves, additions, and changes. In light of security concerns over the re-enterability of these systems, however, there has been much debate over the long-term security of them. As a result, several CTTAs have mandated compensating measures such as epoxying some or even all of the seams along the engineered raceway system. Nonetheless, engineered raceway systems account for up to fifty percent of new hardened carrier PDS installations. Engineered raceway systems are more expensive than the traditional rigid metallic conduit, and they often require extensive design and installation assistance from the manufacturer; this often comes at an added cost. Epoxying the seams of the raceway significantly detracts from the raceway system s re-enterability, thus decreasing the usefulness of the system as a modular and scalable option. Always consult your DAA or CTTA before installing an engineered raceway system in order to fully understand the requirements and limitations of the product from a certification and accreditation perspective. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 13
Traditional Hardened Carrier PDS: Concrete Encased Ductbank For outside plant deployments, a hardened PDS system is usually constructed between buildings by encasing a duct bank with rebar and concrete. Per NSTISSI 7003, it should be buried a minimum of 1 meter below the surface and on the property owned or leased by the US Government or the contractor having control of the PDS. Building 2 Duct bank must be buried a minimum of 1 meter below the surface. In many cases, encased in 8 of concrete. Building 1 Concrete Duct Cables Figure 2: Concrete encased ductbank 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 14
Alarmed Carrier PDS In the second alternative for a Hardened Distribution System, Alarmed Carrier System, the inspections are automated using an electronic monitoring or alarm system, which insures that reliable inspections occur continuously 24/7/365. Referred to as an Alarmed Carrier PDS, the carrier system is alarmed with specialized optical fibers deployed within the conduit for the purpose of sensing acoustic vibrations, which usually occur when an intrusion is being attempted on the conduit in order to gain access the cables. Alarmed Carrier systems improve upon the performance of Hardened Carrier Systems as they not only make it difficult to gain access to the cables, but they detect attempts to do so as well. Alarmed Carrier PDS modify the requirements as follows: 1. Eliminates the need for the welding and epoxying of the connections. 2. Eliminates the requirement for Periodic Visual Inspections (PVIs). 3. Because PVIs aren t required, the carrier can be hidden above the ceiling or below the floor. 4. The requirement for concrete encasement outdoors is eliminated. When using an alarmed carrier PDS, NSTISSI 7003 requires: Alarm system must be approved by the congnizant COMSEC and/or physical security authorities A Standard Operation Procedure (SOP) must be implemented to: - Verify performance - Insure response by security personnel within 15 minutes - Define action to be taken re: termination of transmission - Initiate investigation of an actual intrusion attempt The INTERCEPTOR Optical Network Security System is classified as an Alarmed Carrier PDS. However, the Interceptor improves upon legacy Alarmed Carrier PDS technology. Instead of monitoring the carrier containing the cables being protected, Interceptor monitors the fibers within (or intrinsic to) the cables being protected to turn those cables into sensors, which detect attempts to intrude upon them. In addition to the aforementioned benefit of the elimination of the human visual inspections, Alarm Carrier systems that monitor cables intrinsically, provide the opportunity to quickly secure pre-existing cable infrastructure as making simple connections to the end-points of the cable deploys these systems. This provides the added benefit of being able to quickly redeploy the alarm systems to keep pace with network rearrangements. Depending on the government organization, intrinsic cable monitoring of an Interlocking armored cable further allows the elimination of the carrier systems altogether and permits the cables being protected to be installed in existing conveyance (wire basket, ladder rack) or suspended cabling (on D-rings, J-Hooks, etc.) which drastically reduces the cost and simplifies the installation of the cable system. More discussion on the Interceptor Optical Network Security System will occur in Chapter 4. Keep in mind that there are several factors that must be considered when evaluating network security mechanisms, such as classification of traffic, facility security and access control, and perimeter distance, and that it is necessary to evaluate each project or deployment on its own characteristics and merits. A PDS system is but one layer in the Defense-in-Depth approach of securing and protecting missioncritical networks. For specific guidance on your network or facility, please contact your CTTA. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 15
Deciding between a Hardened Carrier PDS and an Alarmed Carrier PDS: Minimizing the Total Cost of Ownership of a PDS System The cost of purchasing and installing a PDS system is not trivial; thus, it is important to factor in long-term scalability. For instance, such considerations could include: 1. Future required increases in the level of classification that the network will carry, 2. The need to modify or expand the PDS system for new users, 3. The risk of having to move or relocate into another facility or work center. Once the potential dynamics and growth issues that a PDS will have to endure have been mapped out, the next step is to consider the complexity and cost of modifying the PDS system over time. Relevant considerations here include: 1. Whether the PDS system is flexible and easy to modify, 2. Whether it will allow additional networks to be installed or support higher classifications, 3. How long until it will reach its full capacity and needs to be replaced or augmented by another PDS system, among others. As previously mentioned, for outside plant deployments, a hardened carrier PDS system is normally constructed using a rebar plus concrete-encased duct bank that is installed physically between two facilities. For deployments inside of a facility, the hardened carrier PDS system is primarily comprised of rigid metallic conduit or an engineered raceway system that is custom designed for the facility that it is installed in, firmly attached to the walls, and often epoxied together for increased security purposes and to detect tampering. As a result, hardened carrier systems are not easily scalable options. In fact, often hardened carrier PDS systems inside of a facility require a second or third hardened carrier to be installed adjacent to the original system to support SIPRNet and JWICS growth. Even engineered raceway systems, designed to be reenterable, cause the owning organization to suffer through high cost and complexity when requirements increase or the PDS system needs to be expanded, especially if the seams were required to be epoxied. If an organization relocates to a new facility, it is impossible to also move a concrete-encased duct bank, and it is neither practical nor cost-effective to remove and reinstall a hardened carrier system like rigid metallic conduit or engineered raceway. This cost is even greater than that of installing a completely new PDS system in the new facility. Conversely, INTERCEPTOR alarmed carrier PDS systems are by nature easy to grow or scale. In an alarmed carrier PDS, the system is built around the alarm sensor rather than the conduit or raceway that is installed throughout the facility and bolted to the walls, or the concrete-encased duct bank running between facilities. As a result, expanding the alarmed carrier PDS system is usually completely transparent and seamless to the end users. If an organization must relocate, then it will be able to quickly and easily transport the PDS alarm system to, and utilize it in, the new facility. By doing so, an organization will be able to recoup between seventy-five and eighty percent of the cost of the PDS system, thereby minimizing the total cost of ownership and providing rapid deployment of SIPRNet or JWICS connectivity. For more information on the differences between hardened and alarmed carrier PDS systems, please reference www.cnss.gov/assets/pdf/nstissi_7003.pdf 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 16
The Economic Considerations of a PDS System For most engineers and end users deploying SIPRNet/JWICS networks, the objective is to reach a cost-effective yet secure solution that meets certification and accreditation requirements while at the same time minimizing total cost of ownership. This section of the provides a thorough review of the deployment costs of INTERCEPTOR and a comparison of alternative deployments using in-line network encryptors, rigid metallic conduit, or aesthetically engineered raceway. For any network deployment, it is important to focus on the total installed cost as opposed to just the material cost or a portion of the cost of deployment. After all, an INTERCEPTOR does not operate by sitting in the box inside your red/ black equipment room. The same is true for the traditional PDS deployment of rigid metallic conduit. The conduit or EMT would do nothing if it were piled up outside the building or along a hallway. Both solutions must be designed and installed before they offer any protection. Thus, it is absolutely critical to factor in these additional design and installation costs when comparing the multiple available options. For a typical commercial network deployment, the total installed cost of the network is divided into three major cost categories: active equipment, cabling/connectivity, and installation/labor. The chart below shows the distribution of the total installed cost between these three categories. Chart 1: Commercial network deployment As you can see, the labor/installation component is by far the most expensive component of any network deployment. More importantly, however, is the fact that labor and installation costs would again be incurred if the network had to be re-deployed or over-built any time in the future. Also, the choices made concerning the active equipment and cable/ connectivity components have a direct impact on increasing or minimizing the labor/installation component. If a PDS solution is chosen that requires extensive design assistance, such as an aesthetically engineered raceway, or is custom installed into each room or hallway, such as a rigid metallic conduit, then the cost for labor and installation could increase substantially. In fact, the following charts show the new cost distribution for network deployments involving hardened carrier PDS systems. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 17
Chart 2: Total Installed Cost Hardened PDS Deployment, Engineered Raceway Chart 3: Total Installed Cost Hardened PDS Deployment, Rigid Metallic Conduit Chart 4: Comparison of Total Costs of Hardened PDS Deployment As you can see, the design and deployment of a hardened carrier PDS system can easily add between twenty and thirty percent to the total installed cost for SIPRNet and JWICS deployments. In fact, this number can quickly jump to between forty and fifty percent when using aesthetically engineered raceway systems that require factory engineers or certified contractors to do the installation of the PDS and network cabling. Doing so usually results in a dramatic increase in the labor and installation costs of the network deployment. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 18
Another important consideration for secure network deployments is the amount of time it will take the contractor to install the PDS and deploy the network cabling. Additionally, while not a direct cost component of the deployment, it is absolutely critical to factor in the logistics and storage area for materials, facility access, personnel security concerns, worksite disruption, and escort requirements. Each of these considerations indirectly contributes to the cost of deployment for hardened carrier systems. Finally, the scalability of the hardened carrier PDS system is important to consider, as well. With the explosion of SIPRNet and JWICS requirements, it is prudent to expect secure network access requirements to grow considerably over the next three to five years. Thus, any PDS system installed must account for future growth and scalability. For rigid metallic conduit systems and engineered raceway solutions where CTTAs still require seams to be epoxied this is usually accomplished by installing a second PDS raceway below the first one. From a net present value perspective, this requires the owning organization to double its PDS investment. For engineered raceway solutions that are not required to be fully epoxied, there is a significant savings, but there is still a significant investment in labor and installtion to deploy new cables in the PDS raceway. INTERCEPTOR Deployment Costs In contrast to hardened carrier PDS systems, INTERCEPTOR deployment costs are not measured by the linear footage of PDS raceway to be installed or simply by counting the number of SIPRNet/JWICS drops. When evaluating the deployment costs of the INTERCEPTOR system, it is important to first assess the number of buildings or users that need to be protected and the most cost-effective design methodology to be employed. INTERCEPTOR protection can be applied by dedicating an entire port to each individual cable, such as building-to-building connections or building riser networks, among others, or by using a single port to protect multiple cables, such as horizontal cabling or workstation drops. As demonstrated by the charts below, INTERCEPTOR equipment costs are easily calculated. Chart 5: INTERCEPTOR Equipment Costs: Point-to-Point Protection 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 19
Chart 6: INTERCEPTOR Equipment Costs: Point-to-Multipoint Protection A critical advantage to protecting secure networks with INTERCEPTOR is that as long as INTERCEPTOR is monitoring and protecting as few as two fibers in the cable, ALL of the fibers in that cable (up to 144) will be protected and able to carry unencrypted national security information. Another consideration involved with deploying an INTERCEPTOR system is choosing the conveyance that will be used to distribute the cabling and provide some physical armoring or hardening of the network cables. For years, the traditional approach was to use EMT or rigid metallic conduit inside of buildings and concrete-encased duct banks in between buildings in order to protect SIPRNet and JWICS networks. Even for early deployments of alarmed carrier PDS systems, EMT and rigid metallic conduit were still used; they were just installed above the ceiling or below the floor since periodic visual inspections were not required due to the alarm system. In March of 2009, the DOD evaluated and approved the use of commercial off-the-shelf interlocking armored fiber optic cable to replace EMT or rigid metallic conduit provided that the cable is protected by INTERCEPTOR. This dramatically reduced the cost of deploying new secure networks as part of a building construction or modernization activity or when deploying an overlay SECRET or TS network. Rather than paying an average price of seven to ten dollars per foot for EMT or rigid metallic conduit, users can now pay an additional one to two dollars per foot to have a fiber optic cable armored. In additional to this dramatic material cost savings, the reduction in installation complexity provides even greater savings. All things considered, armored cable has the ability to save between sixty and eighty percent of the typical deployment costs associated with hardened carrier PDS systems. As demonstrated by the chart below, even if multiple fiber optic cables must be installed, the cost savings over the traditional EMT or rigid conduit hardened carrier PDS system is significant. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 20
Chart 7: Cost savings of Armored Fiber Optic Cabling vs. EMT Conclusion Understanding deployment economics especially when considering recent approvals is absolutely essential in the context of the decision to deploy an INTERCEPTOR system. The distribution and relationship between material cost and deployment complexity (e.g., armored cable versus EMT) is also a key consideration that can significantly reduce deployment cost and total cost of ownership. 2010 Network Integrity Systems, Inc. All Rights Reserved Issue DG.8.2010 21