LAYER 1 & LAYER 2 ENCRYPTION WHY: ONE SIZE DOES NOT FIT ALL

LAYER 1 & LAYER 2 ENCRYPTION WHY: ONE SIZE DOES NOT FIT ALL GIVEN ON 4/28/2015 Todd Bundy Director of Global Business Development ADVA Optical Networking tbundy@advaoptical.com 203-546-8230 2015 Internet2

Why Encryption at L1 and L2? "What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default Edward Snowden - Guardian Interview, Moscow July 2014 [ 2 ] 2015 Internet2

Data Center Environment & Security APPS APPS

Data Center Environment & Security Physical Access to the Data Center APPS APPS

Data Center Environment & Security Hardware Security APPS APPS

Data Center Environment & Security Software Security APPS APPS

Data Center Environment & Security and what about the Fiber Connection? APPS APPS

Fiber Optic Networks Tapping Possibilities Street cabinet Where to get access? Splice boxes / cassettes (Outdoor / Inhouse) How to get access? Y-Bridge for service activities Fiber Coupling device There are multiple ways to access fiber

The World s 1 st 100G Encryption Demo Video Video XG-210 Local Sender Optic Coupler Remote Receiver XG-210 10TCE-AES100G 10TCE-AES100G 4CSM 4CSM CLI CLI Intermediate Hacker Video? XG210 10TCE-AES100G 4CSM & EDFA VGC CLI

Comparison: Layer 1 & 2 solutions Requirement* IPSec* MACSec*(L2)* MACSec+*(L2)* Layer*1** Complexity+&+Cost+ high+ low+ low+ low+ Latency++ high+ low+ low+ extremely+low+ Deployment+ no+dedicated+ end8to8end+ connec9vity++ hop8to8hop+only++ security+risk+ end to end++ end8to8end+ Data+Throughput+ low+ medium+ medium+ 100%+ Protocol+Transparency++ low+ medium+ medium+ high+ Flexible+Encrypted+Payload+ Size+ restricted++ restricted++ (standard+mac+size)+ restricted++ (9600B+MTU+size)+ End to End+Compa9bility++ IP+only+ layer+2+only+ VLAN+bypass+ 1G+ +100G+ Fiber/OTN++ SONET/SDH+ Flexibility+(Meshed)+ high+ low+ medium+ low+

High Speed Encryption Modes Point-to-Point, Protocol/ I/F agnostic (ETH, FC/IB, Sonet/SDH) Integrated Solution with lowest latency encrypted Bulk Mode (0 Bytes) DA SA S-TAG C-TAG Etype Payload FCS Hop-by-Hop only Pure Ethernet based Overhead increase End-to-End PtP or Multi-Point Pure Ethernet based Overhead increase MACsec +32 Bytes encrypted DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS authenticated prosec +32 Bytes encrypted DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS authenticated authenticated Bandwidth constraints IP VPN Services Huge overhead IPsec ESP-AES-256 ESP-SHHA-HMAC +73 Bytes encrypted DA SA S-TAG C-TAG Etype IPsec ESP IV Payload Trailer Auth FCS authenticated

Encryption Performance Comparison of Maximum Throughput (3000) Throughput+ Framesize+/+Bytes+

Optical transmission security Speed of Encryption xwdm based Encryption Router Site A WAN Site B Router Ethernet based Encryption IPsec based Encryption FC based Encyption FC Switch WDM-transport Router Site A Site B FC/IP FC Switch Router FC Switch WDM-transport Site A WAN WAN Site B WDM-transport FC Switch Router FC/IP FC Switch Router WDM-transport FC Switch Speed, throughput and simplicity Flexibility and complexity [ 13 ]

L1 Encryption Solution Highest level of security Speed - Low Latency 100% Throughput Protocol and data rate agnostic Operational Simplicity Encryption at the lowest possible layer

Data Center Connectivity - Dark Fiber Connect Guard Optical layer 1 encryption Applications Protocols Data Mirroring Remote Backup GDPS Snapshot Server Clustering Site A Site B 4/8/10/16G Fibre Channel Mainframe Storage Server Protocol agnostic native transport of all data over single color. 16G Fibre Channel with future 32GFC increases real throughput. Long list of certifications and partners. 1/10/40/100G Ethernet SDR/DDR/QDR FDR/FDR-10 InfiniBand FICON Maximum security and lowest latency.

Encryption over WDM 10GbE, 16G FC, 40GbE, 100GbE Services Network & Crypto Manager Site B Site A WDM Network LAN SAN Legacy LAN SAN Legacy Multi rate Multi rate 10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G

Business continuity example-sync Data Center Site-A Servers/mainframes Fiber 0-200km Intermediate Site-B Sync Mirror Servers/mainframes Director F S P WDM F S P WDM Director DISK (primary) NMS Synchronous operation: Local transaction will only complete when remote transaction completes Tape vault DISK (secondary)

Layer 1 Encryption Large enterprises e.g. Financials upgrading their infrastructure to layer 1 encryption between their DCs. We believe that Cloud SPs will benefit from the same methodology. Layer 1 encryption will motivate large enterprise to move into the Cloud. 3,830 x 10G equivalent encrypted links in operation 61% Finance (70 customers) 10% Cloud SPs (18 customers) 9% Government (16 customers) 6% Healthcare ( 8 customers) 5% Utilities ( 9 customers)

Verticals & Cloud Service Providers use of L1 Encryption Finance latency & security sensitive Government security sensitive HealthCare Encryption security & cost is important sensitive Utility latency & security sensitive Internet Economy scalability & cost sensitive for all industries Private Cloud - BC & DR - lowest latency - secure LAN/SAN/WAN Dynamic Hybrid Cloud - BC & DR (on & off premises) - lowest latency - secure LAN/SAN/WAN Public Cloud - XaaS - Internet connect

Use Cases: Marist IBM ADVA SDN LAB Bandwidth calendaring Cloud bursting Cloud DC Private Datacenters Workload balancing Secure multi-tenancy Load Load Tenant 1 Tenant 2 Transactional nature of DC-to-DC traffic (bulk data transfers) offers opportunities for optical bandwidth-on-demand.

Combined sync/async scenario - Data center site-a Servers/ Mainframes Director F S P WDM 0-200km Fiber Intermediate site-b Sync Mirror Servers/Mainframes F S P WDM FC/IP Gateway 0-1000 s km Carrier Network FC/IP Director Gateway F S P F S P CLOUD DR site-c Ohio Async Mirror Servers/ Mainframes DISK (primary) DISK (secondary) Tape vault DISK (third Copy) Asynchronous operation: No specific link between completion of a local and remote transaction

Encryption over L1 Carrier Networks 1GbE & 10GbE Services Network & Crypto Manager Site B Site A LAN LAN OTN Network Carrier Managed Service n*1gbe, 10GbE n*1gbe, 10GbE 5TCE-PCN-AES 5TCE-PCN-AES

L2 Encryption Solution [ 23 ]

ConnectGuard secure connectivity on all layers Branch C LAN up+to+1gbit+ 100 Gbit/s Bandwidth 1.5 Mbit/s LAN Branch A Branch B LAN LAN LAN SAN Cluster Main Office up+to+1gbit+ >+100Mbit+ >+10Gbit+ >+100Gbit+ up+to+1gbit+ >+100Mbit+ >+10Gbit+ >+100Gbit+ HQ LAN LAN SAN Cluster

MACsec slide with cloud Site B LAN LAN Site A Site C LAN

prosec slide with cloud Site B LAN LAN Site A Site C LAN

prosec capabilities IEEE+802.1AE82006+compliant+ w/+gcm8aes8128+cipher+suite+ Secure multipoint services NID Encryption Point VID10 SecTAG VID10 CE IEEE+802.1AEbn82011+compliant+ w/+gcm8aes8256+cipher+suite++ Packet+number+genera9on+and+ checking++ CE Sensitive data to/from branch 1 VID10 Sensitive data to/from branch 2 VID20 UBS hub site Encryption Point VID10 SecTAG VID20 SecTAG NID VID10 SecTAG Carrier Network VID20 SecTAG NID UBS branch #1 Encryption Point VID20 VID20 SecTAG UBS branch #2 CE Advanced*MACsec*transforma?on*with*single/dual*VLAN*bypass* Supports+point8to8point+secure+connec9vity++ Works+in+conjunc9on+with+ADVA+Security+Associa9on+Protocol+(SAP)+for+the+ distribu9on+of+the+cryptographic+keys+

Encryption Management & Operations [ 28 ]

Data Center Networks Encryption Management for Private Networks Scenario 1 - User of encryption is the operator of equipment LAN EM or LCT/CLI DCN NM Server NM Clients 3 rd Party NE 3 rd Party NE Crypto Manager running on NM

Data Center Networks Encryption Management for Private Networks Scenario 2 - Encryption user does not own the network LAN WWW. NM Server NM Clients GUI Server running NM client apps DCN Customer A 3 rd Party NE 3 rd Party NE Crypto Manager running on GUI Server

Crypto Management Management Levels Provided Operational management Deals with all operational aspects (FCAPS) User access is handled on the NCU Security management Control of all security relevant activities Separated from operational management Access control handling on the AES Muxponder not on the NCU Security relevant activities are performed using the security relevant credentials ROOT users have no access to security management

SUMMARY! Large Data Centers users will migrate certain workloads to the Cloud to take advantage of the latest technologies at affordable costs.! Security of their Data is the No.1 concern.! Layer 1 Encryption is their solution of choice that does not impact performance or latency supports the latest Data Center protocols is easy to manage and operate! Layer 2 Encryption with MACSec+ innovation Enhances deployment flexibility at lower cost Reduces complexity legacy plus Cloud This is what we offer to large enterprises and Cloud Service Providers.

Backup slides

Management Security Authentication - RADIUS server Centralized password and user management User-access logging Access to the system/ncu - Secure shell and SNMPv3 Full management encryption Embedded Craft Terminal communication based on HTTPS or SSH or SNMPv3 Firmware and database updates via SCP User tracking Security inside Network Manager Corba/TLS for Client-Server communication Northbound I/F: XML/HTTPS, SCP/SSH Filtered network views via Service Manager All user information in NM database is encrypted RADIUS client F S P F S P F S P Local administration RADIUS server Operator via SSH (Secure Shell)

Crypto Officer on Network Manager Crypto Manager launched for dedicated service

Crypto Manager

Crypto Manager for Data Services Encryption can be managed in different ways - based on the usage scenario: Management via LCT/CLI: Encryption user has direct access (serial/telnet/https) to the equipment Encryption management as separate management area inside LCT/CLI (separate encryption user and operational user access) Every security relevant command inside LCT/CLI has to be confirmed with the crypto officer password Management via NM/SM/Crypto Manager Crypto Manager allows graphical management of encryption parameters Each change of parameters inside Crypto Manager must be confirmed with Crypto Officer password Combination with Service Manager enables operator to give limited network view to encryption user so that he only sees/manages his own services Service Manager/Crypto Manager can run in virtualized environment (CITRIX) to keep customer behind firewall

3000 Security Suite Benefits for Enterprise customers Helps to effectively protect critical information Superior low-latency performance Enables compliance with laws and regulations for Carriers and Service Providers Attract new customers in key verticals Differentiate service offering and increase margins Enable new encryption service offering through separate transmission and encryption management