'ˇ ( : & $% / 2 3 05 - · PDF file'ˇ ( : & #$% . ˘ˇ ˆ˙˝ ، ˚˘ ˇ ، ˜ ! : – –
3 )('#!&*+ )$#,(%-).$&/%!#0).0.#$1 !#$%!&$ ' ()*+,$-. · PDF filepoint-to-multipoint fiber to...
Transcript of 3 )('#!&*+ )$#,(%-).$&/%!#0).0.#$1 !#$%!&$ ' ()*+,$-. · PDF filepoint-to-multipoint fiber to...
INTERCEPTOR™
OPTICAL NETWORK
SECURITY SYSTEM
N E T W O R K I N F R A S T R U C T U R E S E C U R I T Y
A P P L I C A T I O N S
G U I D E
I N T E R C E P T O R™ O P T I C A L N E T W O R K S E C U R I T Y S Y S T E M
A P P L I C A T I O N S G U I D E
$ 1 INTERCEPTOR port per zone (32 secure ONT
locations per zone with multiple data ports each)
Seamless Zone Architecture matching PON point-to-multipoint fiber to the desktop model
Optional integration for Zone-based security including Data Shut-Off features
Advanced Network Management System integration
No end-to-end Daily Inspections (PVIs)
Highly Secured by 24/7/365 real-time monitoring with Smart Filtering to eliminate false alarms
Long-lasting, high-bandwidth, secure single mode fiber data infrastructure
Options for securing multiple network classifications on a single secure infrastructure
Ultimate flexibility for rapid deployment and support of moves/adds/changes
Secure Passive Optical Network
(S-PON) Integrated Solution
S-PON Architecture
1937 Tate Boulevard, SE Hickory, North Carolina 28602, USACall 877 NIS 4PDS (877.647.4737)
networkintegritysystems.com
Base or Campus Wide Architecture
LAN Point-to-Multipoint
INTERCEPTOR Intelligent-PDS™
/HJDF\�3'6��5HWUR¿W�$SSOLFDWLRQV
Encryption Devices
Legacy Hardened Carrier PDS
Zone 1
Zone 2
Zone 3
Armored Cable
Zooone 1o
INTERCEPTOR Intelligent PDS:
LAN Point to Multipoint
Flexible AlarmNotification and Response
$ If using Alarmed-Armored PDS,
all epoxy and conduit is eliminated
Multiple drops per zone; reducing costs per secure drops
Integration options include Facility IDS, Network Management Systems, and Mobile Devices
No end-to-end daily inspections
Concealed classified infrastructure; no conduit exposed in hallways and office spaces
Scaleable and flexible infrastructure
No rigid metallic conduit
Highly secured by 24/7/365 real-time monitoring with Smart Filtering™ to eliminate false alarms
$$ Not flexible/scalable; requires extensive materials, labor
and potential downtime to support moves/adds/changes.
Periodic Visual Inspections (Daily) require manpower to detect any threats and meet regulations
Nearly impossible to guarantee security in deployments with hundreds or thousands of secure drops
Poor aesthetics
No real-time security and poor intrusion prevention, focus is on detection of intrusions
Epoxy requirements for joints, junction points, and user lockbox connections
Labor intensive to install
Note: In existing legacy PDS installations, INTERCEPTOR can be used to alarm the conduit, eliminate PVIs and epoxy requirements, and expand to supprt moves/adds/changes without new conduit
$$ $ High up front costs of equipment per secure link
Often limits bandwidth on the secure link
COMSEC and Key management challenges require manpower
Not scalable; request for additional encryption devices can take many months
No prevention or detection of physical intrusions; trust placed in encryption only
Note: Transition from encrytion to INTERCEPTOR provides a quick way to upgrade performance and security, while reducing long term costs
Network Switch
INTERCEPTOR
Patch Panel
Network Switch
Patch Panel
Network Switch
INTERCEPTOR
Patch Panel
Switch
PTOOR
Pannel
Network Switch
Zone 1
Zone 2
Zone 3
Flexible AlarmNotification and Response
Retro-fit (Alarming Legacy PDS) to Eliminate Inspection and Epoxy
Patch Panel
Encryptor
Network Switch
Zone Box
SCIF
Encryptor
nel
tor
witcchch
Box
SCIFSCISCIFSCISCIFSCI
DesktopEncryptors
INTERCEPTOR™Alarmed-Armored PDS
Secure Communications
Room
Alarmed-Armored PDS All Zones Monitored 24/7/365 by INTERCEPTOR™
Splitter can be located inside zone box or comm room.
Core Router SIPR
Copper Jumpers
Desktop SIPR
Core Router NIPR
Desktop NIPR
AlarmPatchPanel
SIPRSplitter1:32
SecureSIPR ONTwith AlarmLoopback
SecureSIPR ONTwith AlarmLoopback
Patch Panel
INTERCEPTOR
INTERCEPTOR LD2
Network Switch
Local OSP
Zone Box
Local OSP
INTERCEPTOR enables flexible alarm and alert options
INTERCEPTOR ZONE(S)
INTERCEPTOR™ and INTERCEPTOR LD2™
NTERCEPTOR enaabblees flexiblealarm aanndd aalleerrtt ooppttiionnss
Intrusion Location TechnologyIntrusion located within 25 meters
Up to 50 mile rangeINTERCEPTOR LD2 ZONE(S)
LD! = Long Distance & Location Detection
$ Detects and locates tampering
and intrusion attempts to any point on the data cable, up to 50 mile range
Perfect for extending S-PON and other fiber optic data infrastructures across a base or campus
Combined with INTERCEPTOR, you can now secure and monitor your entire LAN/WAN infrastructure leveraging existing standard fiber optic cable
We Bring Security To Light™
S Y S T E M S
Zone 1
Building A
Zone 2
Zone Box
ZZoone 1o
From INTERCEPTOR to Building B SCIFFrom INTERCEPTOR toto BBuiuildldiningg g BB SCSCIFIF
Building B
$ A single INTERCEPTOR can monitor
ISP & OSP on multiple channels
Secure SCIF and office connections
Eliminate end-to-end daily inspections (PVIs)
Retrofit EMT/conduits in legacy environment
No EMT in new construction
If using Alarmed-Armored PDS, all epoxy and conduit is eliminated
Patch Panel
Encryptor
Network Switch
Building A
Zone Box
SCIF
DesktopEncryptors
Encryptor
l
r
cch
x
SCIFSCISCIFSCISCIFSCI
Network Switch
INTERCEPTOR
Patch Panel
Network Switch
Patch PanelAlarm Loopback
SCIF
From INTERCEPTOR to Building B SCIF
$$$ Expensive concrete encasement and
construction effort required Not flexible/scalable; requires extensive materials,
labor and potential downtime to support moves/adds/changes
Periodic Visual Inspections (Daily) require manpower to detect any threats
Poor aesthetics
No real-time security and poor intrusion prevention, focus is on detection of intrusions
Epoxy requirements for joints, junction points, and user lockbox connections
Labor intensive to install
Note: In existing legacy PDS installations, INTERCEPTOR can be used to alarm the conduit, eliminate PVIs and epoxy requirements, and expand to supprt moves/adds/changes without new conduit
$$ $ High up front costs of equipment per secure link
Often limits bandwidth on the secure link
COMSEC and Key management challenges require manpower
Not scalable; request for additional encryption devices can take many months
No prevention or detection of physical intrusions; trust placed in encryption only
Note: Transition from encrytion to INTERCEPTOR provides a quick way to upgrade performance and security, while reducing long term costs
Building B
Network Switch
Encryptor
Patch PanelAlarm Loopback
SCIF
Concrete
DuctCables
Building A
Concrete
Duct bank must be buried a minimum of 1 meter below the surface. In many cases, encased in 8” of concrete.
Concrete Encased to Building B SCIF
Building B
SCIF
Patch Panel
Network Switch
SCIF
$$ $
pr
A
Building BBuilding A
$$$ Expensive concrete encasement and
construction effort required
Periodic Visual Inspections (Daily) require manpower to detect any threats and meet requirements
Real-time security and poor intrusion prevention, focus is on detection of intrusions
Not flexible/scalable; requires extensive materials, labor and potential downtime to support moves/adds/changes
Note: In existing Legacy PDS installations, INTERCEPTOR can be used to alarm the conduit, eliminate PVIs and epoxy requirements, and expand to support moves/adds/changes without new conduit.
Building B
Concrete
Duct
Duct bank must be buried a minimum of 1 meter below the surface. In many cases, encased in 8” of concrete.
Cables
Building A
$ Only 1 INTERCEPTOR port to secure
each Building-Building link
Options for securing multiple network classifications per INTERCEPTOR port
Full bandwidth utilization – INTERCEPTOR has no impact on bandwidth
Easily reconfigurable to add new, relocate or reconfigure network links and classifications
Integration options include Facility IDS, Network Management Systems, and Mobile Devices
No end-to-end daily inspections (PVIs)
Highly Secured by 24/7/365 real-time monitoring with Smart filtering™ to eliminate false alarms
Building BBuilding A
Es
O
Cc
Nd
Ni
Npa
Building BBuilding A
Data Fibers
Protected Network Trunk Cable
INTERCEPTOR™
Patch Panel
Network Switch
Monitoring Fibers
Network Switch
INTERCEPTOR
Patch Panel
Network Switch
Patch PanelAlarm Loopback
Network Switch
Patch Panel
Network Switch
Patch Panel
Network Switch
Encryptor
Patch Panel
Network Switch
Encryptor
Patch Panel
Backbone ISP to OSP
INTERCEPTOR Intelligent-PDS™
Legacy PDS
Encryption
Building to Building (OSP)
INTERCEPTOR Intelligent-PDS™
Legacy PDS
Encryption
I N T E R C E P T O R™ O P T I C A L N E T W O R K S E C U R I T Y S Y S T E M
A P P L I C A T I O N S G U I D EThe INTERCEPTOR™ Optical Network Security System enables Intelligent-PDS™ solutions (including Secure PON) that, unlike legacy PDS systems, support the growing demand for connections to classified networks while offering cost savings, enhanced security and the situational awareness required in today’s environment. As of late 2012, INTERCEPTOR has recorded 50 million port hours protecting classified US government networks up to TS/SCI level. INTERCEPTOR works by monitoring spare fibers contained within the cables requiring protection, which makes the entire cable a sensor capable of detecting tampering with the infrastructure. Patented Smart-filtering™ technology eliminates false alarms by learning the normal day-to-day activity within the environment.
INTERCEPTOR makes protecting networks cost effective and enhances security by replacing daily human visible inspections required to secure traditional PDS with 24/7/365 monitoring. This results in more attractive buildings, because with the elimination of inspections comes the author-ity to remove PDS from the wall and conceal it above the ceiling or below the floor. In some cases, INTERCEPTOR can be used along with a flexible interlocking armored fiber optic cable infrastruc-ture to completely eliminate all requirements for EMT or rigid metallic conduit systems.*
INTERCEPTOR™ supports multiple integration options for responding to alarms and managing Standard Operating Procedures (SOP) associated with an alarmed-PDS.
Compared to encryption, INTERCEPTOR offers unrestrained bandwidth and significant cost savings over traditional inline, network encryptors. As a physical layer device, INTERCEPTOR protects the integrity and availability of network circuits that are transporting national security information – without any COMSEC account requirements or limitations.
A point-to-multipoint monitoring configuration allows multiple offices or workstations to be protected by a single alarm system port rather than each requiring its own port. It is technically possible to protect several hundred end-user drops with a single alarm device, resulting in tremen-dous cost savings compared to legacy protection methods.
NIS also offers a cost-effective, intelligent solution that will monitor up to 40 km in single-ended networks and up to 80 km in a ring configuration. Called the INTERCEPTOR LD2™, this advanced network security monitoring system can detect and pinpoint intrusion attempts or tampering within 25 meters (or better) anywhere along the data network. The system’s advanced signal pro-cessing reduces nuisance alarms while maintaining high sensitivity to intrusions. As with INTER-CEPTOR, the INTERCEPTOR LD2 does not access or interfere with network traffic or bandwidth, and can be deployed with any type of network switching technology. Per NISTISSI 7003, this deploy-ment scenario is the approved alternative to outside plant hardened PDS, negating the need for trenching and concrete encasement for the full distance of the pathway.
*US Army and US Air Force. Others should check your agency’s policy.
www.networkintegritysystems.com