INTERCEPTOR™

OPTICAL NETWORK

SECURITY SYSTEM

N E T W O R K I N F R A S T R U C T U R E S E C U R I T Y

A P P L I C A T I O N S

G U I D E

I N T E R C E P T O R™ O P T I C A L N E T W O R K S E C U R I T Y S Y S T E M

A P P L I C A T I O N S G U I D E

$ 1 INTERCEPTOR port per zone (32 secure ONT

locations per zone with multiple data ports each)

Seamless Zone Architecture matching PON point-to-multipoint fiber to the desktop model

Optional integration for Zone-based security including Data Shut-Off features

Advanced Network Management System integration

No end-to-end Daily Inspections (PVIs)

Highly Secured by 24/7/365 real-time monitoring with Smart Filtering to eliminate false alarms

Long-lasting, high-bandwidth, secure single mode fiber data infrastructure

Options for securing multiple network classifications on a single secure infrastructure

Ultimate flexibility for rapid deployment and support of moves/adds/changes

Secure Passive Optical Network

(S-PON) Integrated Solution

S-PON Architecture

1937 Tate Boulevard, SE Hickory, North Carolina 28602, USACall 877 NIS 4PDS (877.647.4737)

networkintegritysystems.com

Base or Campus Wide Architecture

LAN Point-to-Multipoint

INTERCEPTOR Intelligent-PDS™

/HJDF\�3'6��5HWUR¿W�$SSOLFDWLRQV

Encryption Devices

Legacy Hardened Carrier PDS

Zone 1

Zone 2

Zone 3

Armored Cable

Zooone 1o

INTERCEPTOR Intelligent PDS:

LAN Point to Multipoint

Flexible AlarmNotification and Response

$ If using Alarmed-Armored PDS,

all epoxy and conduit is eliminated

Multiple drops per zone; reducing costs per secure drops

Integration options include Facility IDS, Network Management Systems, and Mobile Devices

No end-to-end daily inspections

Concealed classified infrastructure; no conduit exposed in hallways and office spaces

Scaleable and flexible infrastructure

No rigid metallic conduit

Highly secured by 24/7/365 real-time monitoring with Smart Filtering™ to eliminate false alarms

$$ Not flexible/scalable; requires extensive materials, labor

and potential downtime to support moves/adds/changes.

Periodic Visual Inspections (Daily) require manpower to detect any threats and meet regulations

Nearly impossible to guarantee security in deployments with hundreds or thousands of secure drops

Poor aesthetics

No real-time security and poor intrusion prevention, focus is on detection of intrusions

Epoxy requirements for joints, junction points, and user lockbox connections

Labor intensive to install

Note: In existing legacy PDS installations, INTERCEPTOR can be used to alarm the conduit, eliminate PVIs and epoxy requirements, and expand to supprt moves/adds/changes without new conduit

$$ $ High up front costs of equipment per secure link

Often limits bandwidth on the secure link

COMSEC and Key management challenges require manpower

Not scalable; request for additional encryption devices can take many months

No prevention or detection of physical intrusions; trust placed in encryption only

Note: Transition from encrytion to INTERCEPTOR provides a quick way to upgrade performance and security, while reducing long term costs

Network Switch

INTERCEPTOR

Patch Panel

Network Switch

Patch Panel

Network Switch

INTERCEPTOR

Patch Panel

Switch

PTOOR

Pannel

Network Switch

Zone 1

Zone 2

Zone 3

Flexible AlarmNotification and Response

Retro-fit (Alarming Legacy PDS) to Eliminate Inspection and Epoxy

Patch Panel

Encryptor

Network Switch

Zone Box

SCIF

Encryptor

nel

tor

witcchch

Box

SCIFSCISCIFSCISCIFSCI

DesktopEncryptors

INTERCEPTOR™Alarmed-Armored PDS

Secure Communications

Room

Alarmed-Armored PDS All Zones Monitored 24/7/365 by INTERCEPTOR™

Splitter can be located inside zone box or comm room.

Core Router SIPR

Copper Jumpers

Desktop SIPR

Core Router NIPR

Desktop NIPR

AlarmPatchPanel

SIPRSplitter1:32

SecureSIPR ONTwith AlarmLoopback

SecureSIPR ONTwith AlarmLoopback

Patch Panel

INTERCEPTOR

INTERCEPTOR LD2

Network Switch

Local OSP

Zone Box

Local OSP

INTERCEPTOR enables flexible alarm and alert options

INTERCEPTOR ZONE(S)

INTERCEPTOR™ and INTERCEPTOR LD2™

NTERCEPTOR enaabblees flexiblealarm aanndd aalleerrtt ooppttiionnss

Intrusion Location TechnologyIntrusion located within 25 meters

Up to 50 mile rangeINTERCEPTOR LD2 ZONE(S)

LD! = Long Distance & Location Detection

$ Detects and locates tampering

and intrusion attempts to any point on the data cable, up to 50 mile range

Perfect for extending S-PON and other fiber optic data infrastructures across a base or campus

Combined with INTERCEPTOR, you can now secure and monitor your entire LAN/WAN infrastructure leveraging existing standard fiber optic cable

We Bring Security To Light™

S Y S T E M S

Zone 1

Building A

Zone 2

Zone Box

ZZoone 1o

From INTERCEPTOR to Building B SCIFFrom INTERCEPTOR toto BBuiuildldiningg g BB SCSCIFIF

Building B

$ A single INTERCEPTOR can monitor

ISP & OSP on multiple channels

Secure SCIF and office connections

Eliminate end-to-end daily inspections (PVIs)

Retrofit EMT/conduits in legacy environment

No EMT in new construction

If using Alarmed-Armored PDS, all epoxy and conduit is eliminated

Patch Panel

Encryptor

Network Switch

Building A

Zone Box

SCIF

DesktopEncryptors

Encryptor

l

r

cch

x

SCIFSCISCIFSCISCIFSCI

Network Switch

INTERCEPTOR

Patch Panel

Network Switch

Patch PanelAlarm Loopback

SCIF

From INTERCEPTOR to Building B SCIF

$$$ Expensive concrete encasement and

construction effort required Not flexible/scalable; requires extensive materials,

labor and potential downtime to support moves/adds/changes

Periodic Visual Inspections (Daily) require manpower to detect any threats

Poor aesthetics

No real-time security and poor intrusion prevention, focus is on detection of intrusions

Epoxy requirements for joints, junction points, and user lockbox connections

Labor intensive to install

Note: In existing legacy PDS installations, INTERCEPTOR can be used to alarm the conduit, eliminate PVIs and epoxy requirements, and expand to supprt moves/adds/changes without new conduit

$$ $ High up front costs of equipment per secure link

Often limits bandwidth on the secure link

COMSEC and Key management challenges require manpower

Not scalable; request for additional encryption devices can take many months

No prevention or detection of physical intrusions; trust placed in encryption only

Note: Transition from encrytion to INTERCEPTOR provides a quick way to upgrade performance and security, while reducing long term costs

Building B

Network Switch

Encryptor

Patch PanelAlarm Loopback

SCIF

Concrete

DuctCables

Building A

Concrete

Duct bank must be buried a minimum of 1 meter below the surface. In many cases, encased in 8” of concrete.

Concrete Encased to Building B SCIF

Building B

SCIF

Patch Panel

Network Switch

SCIF

$$ $

pr

A

Building BBuilding A

$$$ Expensive concrete encasement and

construction effort required

Periodic Visual Inspections (Daily) require manpower to detect any threats and meet requirements

Real-time security and poor intrusion prevention, focus is on detection of intrusions

Not flexible/scalable; requires extensive materials, labor and potential downtime to support moves/adds/changes

Note: In existing Legacy PDS installations, INTERCEPTOR can be used to alarm the conduit, eliminate PVIs and epoxy requirements, and expand to support moves/adds/changes without new conduit.

Building B

Concrete

Duct

Duct bank must be buried a minimum of 1 meter below the surface. In many cases, encased in 8” of concrete.

Cables

Building A

$ Only 1 INTERCEPTOR port to secure

each Building-Building link

Options for securing multiple network classifications per INTERCEPTOR port

Full bandwidth utilization – INTERCEPTOR has no impact on bandwidth

Easily reconfigurable to add new, relocate or reconfigure network links and classifications

Integration options include Facility IDS, Network Management Systems, and Mobile Devices

No end-to-end daily inspections (PVIs)

Highly Secured by 24/7/365 real-time monitoring with Smart filtering™ to eliminate false alarms

Building BBuilding A

Es

O

Cc

Nd

Ni

Npa

Building BBuilding A

Data Fibers

Protected Network Trunk Cable

INTERCEPTOR™

Patch Panel

Network Switch

Monitoring Fibers

Network Switch

INTERCEPTOR

Patch Panel

Network Switch

Patch PanelAlarm Loopback

Network Switch

Patch Panel

Network Switch

Patch Panel

Network Switch

Encryptor

Patch Panel

Network Switch

Encryptor

Patch Panel

Backbone ISP to OSP

INTERCEPTOR Intelligent-PDS™

Legacy PDS

Encryption

Building to Building (OSP)

INTERCEPTOR Intelligent-PDS™

Legacy PDS

Encryption

I N T E R C E P T O R™ O P T I C A L N E T W O R K S E C U R I T Y S Y S T E M

A P P L I C A T I O N S G U I D EThe INTERCEPTOR™ Optical Network Security System enables Intelligent-PDS™ solutions (including Secure PON) that, unlike legacy PDS systems, support the growing demand for connections to classified networks while offering cost savings, enhanced security and the situational awareness required in today’s environment. As of late 2012, INTERCEPTOR has recorded 50 million port hours protecting classified US government networks up to TS/SCI level. INTERCEPTOR works by monitoring spare fibers contained within the cables requiring protection, which makes the entire cable a sensor capable of detecting tampering with the infrastructure. Patented Smart-filtering™ technology eliminates false alarms by learning the normal day-to-day activity within the environment.

INTERCEPTOR makes protecting networks cost effective and enhances security by replacing daily human visible inspections required to secure traditional PDS with 24/7/365 monitoring. This results in more attractive buildings, because with the elimination of inspections comes the author-ity to remove PDS from the wall and conceal it above the ceiling or below the floor. In some cases, INTERCEPTOR can be used along with a flexible interlocking armored fiber optic cable infrastruc-ture to completely eliminate all requirements for EMT or rigid metallic conduit systems.*

INTERCEPTOR™ supports multiple integration options for responding to alarms and managing Standard Operating Procedures (SOP) associated with an alarmed-PDS.

Compared to encryption, INTERCEPTOR offers unrestrained bandwidth and significant cost savings over traditional inline, network encryptors. As a physical layer device, INTERCEPTOR protects the integrity and availability of network circuits that are transporting national security information – without any COMSEC account requirements or limitations.

A point-to-multipoint monitoring configuration allows multiple offices or workstations to be protected by a single alarm system port rather than each requiring its own port. It is technically possible to protect several hundred end-user drops with a single alarm device, resulting in tremen-dous cost savings compared to legacy protection methods.

NIS also offers a cost-effective, intelligent solution that will monitor up to 40 km in single-ended networks and up to 80 km in a ring configuration. Called the INTERCEPTOR LD2™, this advanced network security monitoring system can detect and pinpoint intrusion attempts or tampering within 25 meters (or better) anywhere along the data network. The system’s advanced signal pro-cessing reduces nuisance alarms while maintaining high sensitivity to intrusions. As with INTER-CEPTOR, the INTERCEPTOR LD2 does not access or interfere with network traffic or bandwidth, and can be deployed with any type of network switching technology. Per NISTISSI 7003, this deploy-ment scenario is the approved alternative to outside plant hardened PDS, negating the need for trenching and concrete encasement for the full distance of the pathway.

*US Army and US Air Force. Others should check your agency’s policy.

www.networkintegritysystems.com