Protecting Optical Fiber: The Last Link In Network Security
The threat of a data breach due to hackers has never been higher for many federal government agencies. At the same time, the amount of classified data is increasing dramatically, which means agencies are looking at all possible ways to protect that data both inside the data center and when it is in transit between data centers.
Agencies’ use of fiber optic cable and networking equipment to connect data centers is growing and several new technologies are emerging to provide enhanced physical protection for these interconnections to ensure they aren’t a point of vulnerability in the overall data security plan.
Hardened Cable Conduits
The National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7003 requires and defines protection for any data circuits carrying classified data.
Encryption can be used on these circuits but this approach isn’t very prevalent because the encryption must be COMSEC-compliant, which limits the bandwidth and adds to the cost. The most popular approach is a more physical protection scheme that involves involving routing fiber cables through steel or concrete-encased conduit banks for building-to-building connections, and a hardened concrete or steel protected distribution system (PDS) for in-building local area networks (LANs).
These approaches improve data line physical security, but do have some drawbacks.
Even though they offer protection, they still need to be inspected frequently to ensure that they haven’t been breached, a task typically done manually by security personnel assigned to walk the entire length of PDS every 24 hours. This ties up costly resources, requires that the conduit be below the ceiling (not aesthetically pleasing) to be observable. This approach also doesn’t guarantee that a breach is intercepted between inspections.
To replace the need for visual inspection, some of the unlit fiber strands in the bundle can instead become alarming fibers that are sensitive to the acoustic vibrations and thus can detect a breach. Once they are moved or disturbed, they send a message to network management. Getting the sensitivity correct on these fibers has historically been a problem that has led to a significant number of false alarms.
Layering On More Security
New technologies are available now to help provide an even higher level of security on these data circuits as well as a means to disconnect or re-direct traffic on a compromised link and to copy and store the packets on that link in order to know exactly what data was lost.
These new technologies start with improvements to the alarming fibers that can adjust their sensitivity to the normal level of that conduit. This cuts down dramatically on the false positives.
The alarming systems are also able to plug into infrastructure management software (IMS) that provide automation and a dashboard that allows remote monitoring of the events and alarms and the overall health of the network. The software can issue incident reports when alarms exceed the configured threshold.
One of the big challenges remaining after detection and alerting have been addressed is disconnecting or redirecting the data onto a back up network to limit the data exfiltration damage caused by the cyber criminal. Fiber-optic circuit switches have been used by several agencies to handle this task.
These switches are inserted between the network packet switch and the fiber-optic backbone cables. In normal operation, the switches pass the data straight through to the backbone network with very low latency.
But in the event of a breach, they are able to redirect this traffic instantly to a back-up fiber network. If no back up is configured, the switch can instantly stop the data transfer. Optical taps can also be used on the circuit to passively copy the data to a networking monitoring system. In the event of a data breach, the network manager can go back to this stored data to determine the severity of the breach.
As agencies seek to harden their networks against cyberattacks, don’t take the security of your PDS for granted. With the addition of several new technologies, security can be dramatically improved while also improving the chances of stopping data before it gets into the hands of data thieves.